Jekyll2022-10-02T09:31:30+00:00https://ziponia.github.io/feed.xml제프의 Study Room제프의 스터디룸에 오신것을 환영합니다. Welcome to Zef's Study Room!Spring oauth2 server with social login2020-01-17T00:00:00+00:002020-01-17T00:00:00+00:00https://ziponia.github.io/2020/01/17/spring-react-social-login<p>Spring Boot 로 Rest 방식의 소셜 로그인을 만들어보자.</p>
<p>사전에 앞서, 이부분에서 오피셜 플로우가 있는지는 잘 모르겠다.</p>
<p>많이 알려진(?) 방법으로는 social 로그인 후 code 를 서버로 전송 해, 서버가 access token 을 받아, 클라이언트로 넘겨준다는 방식으로 많이 설명하는 것 같던데,</p>
<p>이렇게 되면 소셜 configration 정보를 서버와 클라이언트가 모두 가지고있어야 하는 불편함이 있어, 방법을 찾아보다가 이 방법이 개인적으로 가장 선호하는 방법이 되었다.</p>
<p>사전에 앞서, 기술스택은 다음과 같다.</p>
<ul>
<li>spring boot
<ul>
<li>oauth2-auto-configure</li>
</ul>
</li>
<li>kakao</li>
<li>vue (그냥 포스팅하면 밋밋해서 사용해봤다.)</li>
</ul>
<p>진행 될 프로세스는 다음과 같다.</p>
<ul>
<li>클라이언트는 소셜 로그인을 한다.</li>
<li>로그인 후 받은 토큰으로 서버에 인증요청을 한다.</li>
<li>서버는 받은 토큰으로, provider 인증서버로 사용자정보를 요청한다.</li>
<li>받아온 사용자 정보를 토대로, Security Context 로 등록하고 서버전용 토큰을 발급한다.</li>
<li>클라이언트는 provider 에서 발급받은 토큰으로 provider resource 를. 서버에서 발급받은 토큰으로, 서버 resource 를 요청한다.</li>
</ul>
<p>이제 코딩을 시작하자.</p>
<p>먼저 스프링 부트 프로젝트를 생성한다.</p>
<p><img src="/images/spsocal-1.png" alt="이미지" /></p>
<p>라이브러리는 다음처럼 다운받았다.</p>
<div class="language-groovy highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">dependencies</span> <span class="o">{</span>
<span class="n">implementation</span> <span class="s1">'org.springframework.boot:spring-boot-starter-data-jpa'</span>
<span class="n">implementation</span> <span class="s1">'org.springframework.boot:spring-boot-starter-web'</span>
<span class="n">implementation</span> <span class="nl">group:</span> <span class="s1">'org.springframework.security.oauth.boot'</span><span class="o">,</span> <span class="nl">name:</span> <span class="s1">'spring-security-oauth2-autoconfigure'</span><span class="o">,</span> <span class="nl">version:</span> <span class="s1">'2.2.2.RELEASE'</span>
<span class="n">compileOnly</span> <span class="s1">'org.projectlombok:lombok'</span>
<span class="n">developmentOnly</span> <span class="s1">'org.springframework.boot:spring-boot-devtools'</span>
<span class="n">runtimeOnly</span> <span class="s1">'com.h2database:h2'</span>
<span class="n">annotationProcessor</span> <span class="s1">'org.projectlombok:lombok'</span>
<span class="n">testImplementation</span><span class="o">(</span><span class="s1">'org.springframework.boot:spring-boot-starter-test'</span><span class="o">)</span> <span class="o">{</span>
<span class="n">exclude</span> <span class="nl">group:</span> <span class="s1">'org.junit.vintage'</span><span class="o">,</span> <span class="nl">module:</span> <span class="s1">'junit-vintage-engine'</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>필요한 라이브러리는 모두 다운받았다.</p>
<h2 id="authenticationprovider">AuthenticationProvider</h2>
<p>AuthenticationProvider 를 만들자.</p>
<p>이 클래스가 할 일은, 사용자 정보를 조회하고, Security Context 에 등록 할 Authentication 객체를 만드는 일이다.
먼저 토큰을 생성 할 인증서버를 만들자.</p>
<p><em>AuthenticationProvider.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Slf4j</span>
<span class="nd">@Component</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserDetailsServiceProvider</span> <span class="kd">implements</span> <span class="nc">AuthenticationProvider</span> <span class="o">{</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">Authentication</span> <span class="nf">authenticate</span><span class="o">(</span><span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">AuthenticationException</span> <span class="o">{</span>
<span class="c1">// ..TODO DB 처리</span>
<span class="nc">UsernamePasswordAuthenticationToken</span> <span class="n">token</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UsernamePasswordAuthenticationToken</span><span class="o">(</span>
<span class="n">authentication</span><span class="o">.</span><span class="na">getName</span><span class="o">(),</span>
<span class="kc">null</span><span class="o">,</span>
<span class="nc">AuthorityUtils</span><span class="o">.</span><span class="na">createAuthorityList</span><span class="o">(</span><span class="s">"BASIC_UESR"</span><span class="o">)</span>
<span class="o">);</span>
<span class="k">return</span> <span class="n">token</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">supports</span><span class="o">(</span><span class="nc">Class</span><span class="o"><?></span> <span class="n">authentication</span><span class="o">)</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">authentication</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="nc">UsernamePasswordAuthenticationToken</span><span class="o">.</span><span class="na">class</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>일단 들어오는 요청마다, 유저를 생성 할 수 있도록 하였다.</p>
<p>다음으로 WebSecurityConfig 를 만들어, 필요한 부품을 꺼내온다.</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span>
<span class="nd">@EnableWebSecurity</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfig</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span>
<span class="nd">@Autowired</span>
<span class="kd">private</span> <span class="nc">AuthenticationProvider</span> <span class="n">authenticationProvider</span><span class="o">;</span>
<span class="nd">@Override</span>
<span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">AuthenticationManagerBuilder</span> <span class="n">auth</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="n">auth</span><span class="o">.</span><span class="na">authenticationProvider</span><span class="o">(</span><span class="n">authenticationProvider</span><span class="o">)</span>
<span class="o">.</span><span class="na">inMemoryAuthentication</span><span class="o">()</span>
<span class="o">.</span><span class="na">withUser</span><span class="o">(</span><span class="s">"user"</span><span class="o">).</span><span class="na">password</span><span class="o">(</span><span class="n">passwordEncoder</span><span class="o">().</span><span class="na">encode</span><span class="o">(</span><span class="s">"1234"</span><span class="o">)).</span><span class="na">authorities</span><span class="o">(</span><span class="s">"BASIC_USER"</span><span class="o">);</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">WebSecurity</span> <span class="n">web</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="kd">super</span><span class="o">.</span><span class="na">configure</span><span class="o">(</span><span class="n">web</span><span class="o">);</span>
<span class="o">}</span>
<span class="nd">@Bean</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">AuthenticationManager</span> <span class="nf">authenticationManagerBean</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="k">return</span> <span class="kd">super</span><span class="o">.</span><span class="na">authenticationManagerBean</span><span class="o">();</span>
<span class="o">}</span>
<span class="cm">/**
* @see <a href="https://oddpoet.net/blog/2017/04/27/cors-with-spring-security/">
* https://oddpoet.net/blog/2017/04/27/cors-with-spring-security/
* </a>
*/</span>
<span class="nd">@Bean</span>
<span class="kd">public</span> <span class="nc">CorsConfigurationSource</span> <span class="nf">corsConfigurationSource</span><span class="o">()</span> <span class="o">{</span>
<span class="nc">CorsConfiguration</span> <span class="n">configuration</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CorsConfiguration</span><span class="o">();</span>
<span class="n">configuration</span><span class="o">.</span><span class="na">addAllowedOrigin</span><span class="o">(</span><span class="s">"*"</span><span class="o">);</span>
<span class="n">configuration</span><span class="o">.</span><span class="na">addAllowedMethod</span><span class="o">(</span><span class="s">"*"</span><span class="o">);</span>
<span class="n">configuration</span><span class="o">.</span><span class="na">addAllowedHeader</span><span class="o">(</span><span class="s">"*"</span><span class="o">);</span>
<span class="n">configuration</span><span class="o">.</span><span class="na">setAllowCredentials</span><span class="o">(</span><span class="kc">true</span><span class="o">);</span>
<span class="n">configuration</span><span class="o">.</span><span class="na">setMaxAge</span><span class="o">(</span><span class="mi">3600L</span><span class="o">);</span>
<span class="nc">UrlBasedCorsConfigurationSource</span> <span class="n">source</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UrlBasedCorsConfigurationSource</span><span class="o">();</span>
<span class="n">source</span><span class="o">.</span><span class="na">registerCorsConfiguration</span><span class="o">(</span><span class="s">"/**"</span><span class="o">,</span> <span class="n">configuration</span><span class="o">);</span>
<span class="k">return</span> <span class="n">source</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@Bean</span>
<span class="kd">public</span> <span class="nc">PasswordEncoder</span> <span class="nf">passwordEncoder</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="k">new</span> <span class="nf">BCryptPasswordEncoder</span><span class="o">();</span>
<span class="o">}</span>
<span class="nd">@Bean</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">UserDetailsService</span> <span class="nf">userDetailsServiceBean</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="k">return</span> <span class="kd">super</span><span class="o">.</span><span class="na">userDetailsServiceBean</span><span class="o">();</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>위에서 만든 <code class="language-plaintext highlighter-rouge">AuthenticationProvider</code> 를 <code class="language-plaintext highlighter-rouge">AuthenticationManagerBuilder</code> 에 주입 해 주고,
<code class="language-plaintext highlighter-rouge">PasswordEncoder</code>, <code class="language-plaintext highlighter-rouge">AuthenticationManager</code>, <code class="language-plaintext highlighter-rouge">UserDetailsService</code> 를 꺼내왔다.</p>
<p>다음으로, 인증서버를 만들어 앤드포인트를 보호하면서 토큰을 생성 할 수 있는 클래스를 만들자.</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span>
<span class="nd">@EnableAuthorizationServer</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizationServerConfig</span> <span class="kd">extends</span> <span class="nc">AuthorizationServerConfigurerAdapter</span> <span class="o">{</span>
<span class="nd">@Autowired</span>
<span class="kd">private</span> <span class="nc">AuthenticationManager</span> <span class="n">authenticationManager</span><span class="o">;</span>
<span class="nd">@Autowired</span>
<span class="kd">private</span> <span class="nc">PasswordEncoder</span> <span class="n">passwordEncoder</span><span class="o">;</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">AuthorizationServerSecurityConfigurer</span> <span class="n">security</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="kd">super</span><span class="o">.</span><span class="na">configure</span><span class="o">(</span><span class="n">security</span><span class="o">);</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">ClientDetailsServiceConfigurer</span> <span class="n">clients</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="n">clients</span>
<span class="o">.</span><span class="na">inMemory</span><span class="o">()</span>
<span class="o">.</span><span class="na">withClient</span><span class="o">(</span><span class="s">"client"</span><span class="o">)</span>
<span class="o">.</span><span class="na">secret</span><span class="o">(</span><span class="n">passwordEncoder</span><span class="o">.</span><span class="na">encode</span><span class="o">(</span><span class="s">"secret"</span><span class="o">))</span>
<span class="o">.</span><span class="na">authorities</span><span class="o">(</span><span class="s">"BASIC_CLIENT"</span><span class="o">)</span>
<span class="o">.</span><span class="na">scopes</span><span class="o">(</span><span class="s">"basic"</span><span class="o">)</span>
<span class="o">.</span><span class="na">authorizedGrantTypes</span><span class="o">(</span><span class="s">"password"</span><span class="o">,</span> <span class="s">"refresh_token"</span><span class="o">);</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">AuthorizationServerEndpointsConfigurer</span> <span class="n">endpoints</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="n">endpoints</span>
<span class="o">.</span><span class="na">tokenServices</span><span class="o">(</span><span class="n">authorizationServerTokenServices</span><span class="o">())</span>
<span class="o">.</span><span class="na">authenticationManager</span><span class="o">(</span><span class="n">authenticationManager</span><span class="o">);</span>
<span class="o">}</span>
<span class="nd">@Bean</span>
<span class="kd">public</span> <span class="nc">AuthorizationServerTokenServices</span> <span class="nf">authorizationServerTokenServices</span><span class="o">()</span> <span class="o">{</span>
<span class="nc">DefaultTokenServices</span> <span class="n">services</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DefaultTokenServices</span><span class="o">();</span>
<span class="n">services</span><span class="o">.</span><span class="na">setTokenStore</span><span class="o">(</span><span class="n">tokenStore</span><span class="o">());</span>
<span class="n">services</span><span class="o">.</span><span class="na">setTokenEnhancer</span><span class="o">(</span><span class="n">tokenConverter</span><span class="o">());</span>
<span class="n">services</span><span class="o">.</span><span class="na">setSupportRefreshToken</span><span class="o">(</span><span class="kc">true</span><span class="o">);</span>
<span class="n">services</span><span class="o">.</span><span class="na">setAuthenticationManager</span><span class="o">(</span><span class="n">authenticationManager</span><span class="o">);</span>
<span class="k">return</span> <span class="n">services</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@Bean</span>
<span class="kd">public</span> <span class="nc">JwtAccessTokenConverter</span> <span class="nf">tokenConverter</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="k">new</span> <span class="nf">JwtAccessTokenConverter</span><span class="o">();</span>
<span class="o">}</span>
<span class="nd">@Bean</span>
<span class="kd">public</span> <span class="nc">TokenStore</span> <span class="nf">tokenStore</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="k">new</span> <span class="nf">JwtTokenStore</span><span class="o">(</span><span class="n">tokenConverter</span><span class="o">());</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><code class="language-plaintext highlighter-rouge">WebSecurityConfig</code> 에서 꺼내온, <code class="language-plaintext highlighter-rouge">PasswordEncoder</code> 와 <code class="language-plaintext highlighter-rouge">AuthenticationManager</code> 를 주입 해주고,
가상의 메모리 Client 를 <code class="language-plaintext highlighter-rouge">client / secret</code> 으로 생성하였다.</p>
<p>이렇게 만든 이유는, 소셜 인증을 요청 할 경우, 해당 애플리케이션에서 들어 온 요청정보가
우리 애플리케이션이 맞다는 검증을 하기 위해 만든것이다.</p>
<p>또, 토큰 타입을 JWT 타입으로 변경하여, 요청에 필요 한 서버 자원을 절약 하도록 하였다.</p>
<p>마지막으로, ResourceServer 를 구현하여, API 앤드포인트를 보호하자.</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Order</span><span class="o">(-</span><span class="mi">100</span><span class="o">)</span>
<span class="nd">@Configuration</span>
<span class="nd">@EnableResourceServer</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">ResourceServerConfig</span> <span class="kd">extends</span> <span class="nc">ResourceServerConfigurerAdapter</span> <span class="o">{</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">ResourceServerSecurityConfigurer</span> <span class="n">resources</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="kd">super</span><span class="o">.</span><span class="na">configure</span><span class="o">(</span><span class="n">resources</span><span class="o">);</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="n">http</span>
<span class="o">.</span><span class="na">requestMatchers</span><span class="o">()</span>
<span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="s">"/oauth/**"</span><span class="o">,</span> <span class="s">"/api/**"</span><span class="o">)</span>
<span class="o">.</span><span class="na">and</span><span class="o">()</span>
<span class="o">.</span><span class="na">cors</span><span class="o">()</span>
<span class="o">.</span><span class="na">and</span><span class="o">()</span>
<span class="o">.</span><span class="na">csrf</span><span class="o">().</span><span class="na">disable</span><span class="o">()</span>
<span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span>
<span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/oauth/**"</span><span class="o">).</span><span class="na">hasAuthority</span><span class="o">(</span><span class="s">"BASIC_CLIENT"</span><span class="o">)</span>
<span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/api/**"</span><span class="o">).</span><span class="na">authenticated</span><span class="o">()</span>
<span class="o">.</span><span class="na">and</span><span class="o">();</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>기본적인 설정을 마쳤으니, 테스트를 하기 위해 컨트롤러 하나를 생성해보자.</p>
<p><em>AccountController.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@RestController</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">AccountController</span> <span class="o">{</span>
<span class="nd">@Autowired</span>
<span class="kd">private</span> <span class="nc">TokenEndpoint</span> <span class="n">tokenEndpoint</span><span class="o">;</span>
<span class="nd">@PostMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/oauth/token"</span><span class="o">)</span>
<span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o"><</span><span class="nc">OAuth2AccessToken</span><span class="o">></span> <span class="nf">postAccessToken</span><span class="o">(</span>
<span class="nc">Principal</span> <span class="n">principal</span><span class="o">,</span>
<span class="nd">@RequestParam</span> <span class="nc">Map</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">></span> <span class="n">parameters</span>
<span class="o">)</span> <span class="kd">throws</span> <span class="nc">HttpRequestMethodNotSupportedException</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">tokenEndpoint</span><span class="o">.</span><span class="na">postAccessToken</span><span class="o">(</span><span class="n">principal</span><span class="o">,</span> <span class="n">parameters</span><span class="o">);</span>
<span class="o">}</span>
<span class="nd">@GetMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/api/me"</span><span class="o">)</span>
<span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o"><</span><span class="nc">Object</span><span class="o">></span> <span class="nf">me</span><span class="o">(</span><span class="nc">Principal</span> <span class="n">principal</span><span class="o">)</span> <span class="o">{</span>
<span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">ok</span><span class="o">(</span><span class="n">principal</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>postman 으로 요청 하여, 토큰을 발급하면 준비는 끝났다.</p>
<p><img src="/images/sso_rest-3.png" alt="image" /></p>
<p><img src="/images/sso-4.png" alt="image" /></p>
<p><img src="/images/sso-rest-5.png" alt="image" /></p>
<h2 id="kakao-client-에서-유저정보-받아오기">Kakao Client 에서 유저정보 받아오기</h2>
<p>위에서는 토큰 발급을 하기 위한, 기본적인 부분을 만들었고, 이제 실제로 유저 정보를 받아서</p>
<p>우리가 만든 인증시스템에 등록 하는 작업을 해보자.</p>
<p>먼저 클라이언트에서 전달 받은, 토큰으로 카카오 유저 정보를 조회 할 수 있는 Rest Client 를 만들자.</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Service</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">KakaoClient</span> <span class="o">{</span>
<span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">KAKAO_HOST</span> <span class="o">=</span> <span class="s">"https://kapi.kakao.com"</span><span class="o">;</span>
<span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o"><</span><span class="nc">HashMap</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">>></span> <span class="nf">me</span><span class="o">(</span><span class="nc">String</span> <span class="n">access_token</span><span class="o">)</span> <span class="o">{</span>
<span class="nc">RestTemplate</span> <span class="n">template</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RestTemplate</span><span class="o">();</span>
<span class="nc">MultiValueMap</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">></span> <span class="n">headers</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HttpHeaders</span><span class="o">();</span>
<span class="n">headers</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"Authorization"</span><span class="o">,</span> <span class="s">"Bearer "</span> <span class="o">+</span> <span class="n">access_token</span><span class="o">);</span>
<span class="nc">HttpEntity</span><span class="o"><</span><span class="nc">MultiValueMap</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">>></span> <span class="n">entity</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HttpEntity</span><span class="o"><>(</span><span class="n">headers</span><span class="o">);</span>
<span class="nc">ParameterizedTypeReference</span><span class="o"><</span><span class="nc">HashMap</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">>></span> <span class="n">responseType</span> <span class="o">=</span>
<span class="k">new</span> <span class="nc">ParameterizedTypeReference</span><span class="o"><</span><span class="nc">HashMap</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">>>()</span> <span class="o">{};</span>
<span class="k">return</span> <span class="n">template</span><span class="o">.</span><span class="na">exchange</span><span class="o">(</span><span class="no">KAKAO_HOST</span> <span class="o">+</span> <span class="s">"/v2/user/me"</span><span class="o">,</span> <span class="nc">HttpMethod</span><span class="o">.</span><span class="na">GET</span><span class="o">,</span> <span class="n">entity</span><span class="o">,</span> <span class="n">responseType</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>다음으로, AccountController 에서 만든 postToken method 에 파라메터 하나를 추가 하겠다.</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Slf4j</span>
<span class="nd">@RestController</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">AccountController</span> <span class="o">{</span>
<span class="c1">// ...other</span>
<span class="nd">@PostMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/oauth/token"</span><span class="o">)</span>
<span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o"><</span><span class="nc">OAuth2AccessToken</span><span class="o">></span> <span class="nf">postAccessToken</span><span class="o">(</span>
<span class="c1">// new</span>
<span class="nd">@RequestHeader</span><span class="o">(</span><span class="n">name</span> <span class="o">=</span> <span class="s">"x-auth-token"</span><span class="o">,</span> <span class="n">required</span> <span class="o">=</span> <span class="kc">false</span><span class="o">)</span> <span class="nc">String</span> <span class="n">xAuthToken</span><span class="o">,</span>
<span class="nd">@RequestParam</span> <span class="nc">Map</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">></span> <span class="n">parameters</span><span class="o">,</span>
<span class="nc">Principal</span> <span class="n">principal</span>
<span class="o">)</span> <span class="kd">throws</span> <span class="nc">HttpRequestMethodNotSupportedException</span> <span class="o">{</span>
<span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"AccountController"</span><span class="o">);</span>
<span class="c1">// new</span>
<span class="n">parameters</span><span class="o">.</span><span class="na">putIfAbsent</span><span class="o">(</span><span class="s">"grant_type"</span><span class="o">,</span> <span class="s">"password"</span><span class="o">);</span>
<span class="k">if</span> <span class="o">(</span><span class="n">xAuthToken</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span>
<span class="n">parameters</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"provider_token"</span><span class="o">,</span> <span class="n">xAuthToken</span><span class="o">);</span>
<span class="o">}</span>
<span class="k">return</span> <span class="n">tokenEndpoint</span><span class="o">.</span><span class="na">postAccessToken</span><span class="o">(</span><span class="n">principal</span><span class="o">,</span> <span class="n">parameters</span><span class="o">);</span>
<span class="o">}</span>
<span class="c1">// ...other</span>
<span class="o">}</span>
</code></pre></div></div>
<p>oauth2 인증 스펙 제약때문에, 기본 grant_type 을 password 로 설정 하였고,
header 에 <code class="language-plaintext highlighter-rouge">x-auth-token</code> 헤더를 추가했다.</p>
<p>이제 돌아가서 <code class="language-plaintext highlighter-rouge">SsoAuthenticationProvider</code> 에 인증 로직을 구현하자.</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Slf4j</span>
<span class="nd">@Component</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserDetailsServiceProvider</span> <span class="kd">implements</span> <span class="nc">AuthenticationProvider</span> <span class="o">{</span>
<span class="nd">@Autowired</span>
<span class="kd">private</span> <span class="nc">KakaoClient</span> <span class="n">kakaoClient</span><span class="o">;</span>
<span class="nd">@Autowired</span>
<span class="nd">@Qualifier</span><span class="o">(</span><span class="s">"userDetailsServiceBean"</span><span class="o">)</span>
<span class="kd">private</span> <span class="nc">UserDetailsService</span> <span class="n">userDetailsService</span><span class="o">;</span>
<span class="nd">@Autowired</span>
<span class="kd">private</span> <span class="nc">PasswordEncoder</span> <span class="n">passwordEncoder</span><span class="o">;</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">Authentication</span> <span class="nf">authenticate</span><span class="o">(</span><span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">AuthenticationException</span> <span class="o">{</span>
<span class="nc">HashMap</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">></span> <span class="n">details</span> <span class="o">=</span> <span class="o">(</span><span class="nc">HashMap</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">>)</span> <span class="n">authentication</span><span class="o">.</span><span class="na">getDetails</span><span class="o">();</span>
<span class="c1">// provider_token 이 있으면 소셜에서 회원정보를 조회한다.</span>
<span class="k">if</span> <span class="o">(</span><span class="n">details</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"provider_token"</span><span class="o">)</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span>
<span class="nc">String</span> <span class="n">sso_user_id</span> <span class="o">=</span> <span class="n">ssoExtractor</span><span class="o">(</span><span class="n">details</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"provider_token"</span><span class="o">));</span>
<span class="k">if</span> <span class="o">(</span><span class="n">sso_user_id</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span>
<span class="c1">// ..TODO DB 처리</span>
<span class="k">return</span> <span class="k">new</span> <span class="nf">UsernamePasswordAuthenticationToken</span><span class="o">(</span>
<span class="n">sso_user_id</span><span class="o">,</span> <span class="kc">null</span><span class="o">,</span> <span class="nc">AuthorityUtils</span><span class="o">.</span><span class="na">createAuthorityList</span><span class="o">(</span><span class="s">"BASIC_UESR"</span><span class="o">)</span>
<span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
<span class="c1">// 기본인증.</span>
<span class="nc">String</span> <span class="n">user_password</span> <span class="o">=</span> <span class="n">authentication</span><span class="o">.</span><span class="na">getCredentials</span><span class="o">().</span><span class="na">toString</span><span class="o">();</span>
<span class="nc">UserDetails</span> <span class="n">userDetails</span> <span class="o">=</span> <span class="n">userDetailsService</span><span class="o">.</span><span class="na">loadUserByUsername</span><span class="o">(</span><span class="n">authentication</span><span class="o">.</span><span class="na">getName</span><span class="o">());</span>
<span class="k">if</span> <span class="o">(!</span><span class="n">passwordEncoder</span><span class="o">.</span><span class="na">matches</span><span class="o">(</span><span class="n">user_password</span><span class="o">,</span> <span class="n">userDetails</span><span class="o">.</span><span class="na">getPassword</span><span class="o">()))</span> <span class="o">{</span>
<span class="k">throw</span> <span class="k">new</span> <span class="nf">BadCredentialsException</span><span class="o">(</span><span class="s">"Password Match Failed"</span><span class="o">);</span>
<span class="o">}</span>
<span class="k">return</span> <span class="k">new</span> <span class="nf">UsernamePasswordAuthenticationToken</span><span class="o">(</span>
<span class="n">userDetails</span><span class="o">.</span><span class="na">getUsername</span><span class="o">(),</span> <span class="n">userDetails</span><span class="o">.</span><span class="na">getPassword</span><span class="o">(),</span> <span class="n">userDetails</span><span class="o">.</span><span class="na">getAuthorities</span><span class="o">()</span>
<span class="o">);</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">supports</span><span class="o">(</span><span class="nc">Class</span><span class="o"><?></span> <span class="n">authentication</span><span class="o">)</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">authentication</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="nc">UsernamePasswordAuthenticationToken</span><span class="o">.</span><span class="na">class</span><span class="o">);</span>
<span class="o">}</span>
<span class="kd">private</span> <span class="nc">String</span> <span class="nf">ssoExtractor</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Object</span> <span class="n">extractorToken</span><span class="o">)</span> <span class="o">{</span>
<span class="nc">String</span> <span class="n">convert_str</span> <span class="o">=</span> <span class="n">extractorToken</span><span class="o">.</span><span class="na">toString</span><span class="o">();</span>
<span class="nc">String</span><span class="o">[]</span> <span class="n">xHeader</span> <span class="o">=</span> <span class="n">convert_str</span><span class="o">.</span><span class="na">split</span><span class="o">(</span><span class="s">" "</span><span class="o">);</span>
<span class="k">if</span> <span class="o">(</span><span class="n">xHeader</span><span class="o">.</span><span class="na">length</span> <span class="o">==</span> <span class="mi">2</span><span class="o">)</span> <span class="o">{</span>
<span class="nc">String</span> <span class="n">access_token</span> <span class="o">=</span> <span class="n">xHeader</span><span class="o">[</span><span class="mi">1</span><span class="o">];</span>
<span class="k">if</span> <span class="o">(</span><span class="n">xHeader</span><span class="o">[</span><span class="mi">0</span><span class="o">].</span><span class="na">equalsIgnoreCase</span><span class="o">(</span><span class="s">"kakao"</span><span class="o">))</span> <span class="o">{</span>
<span class="c1">// 카카오 헤더일 경우, kakao 유저를 검증한다.</span>
<span class="nc">ResponseEntity</span><span class="o"><</span><span class="nc">HashMap</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">>></span> <span class="n">response</span> <span class="o">=</span> <span class="n">kakaoClient</span><span class="o">.</span><span class="na">me</span><span class="o">(</span><span class="n">access_token</span><span class="o">);</span>
<span class="k">if</span> <span class="o">(</span><span class="n">response</span><span class="o">.</span><span class="na">hasBody</span><span class="o">())</span> <span class="o">{</span>
<span class="k">assert</span> <span class="n">response</span><span class="o">.</span><span class="na">getBody</span><span class="o">()</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">;</span>
<span class="k">return</span> <span class="n">response</span><span class="o">.</span><span class="na">getBody</span><span class="o">().</span><span class="na">get</span><span class="o">(</span><span class="s">"id"</span><span class="o">).</span><span class="na">toString</span><span class="o">();</span>
<span class="o">}</span>
<span class="o">}</span>
<span class="o">}</span>
<span class="k">return</span> <span class="kc">null</span><span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<h2 id="create-js-soical-login-page">Create JS Soical Login Page</h2>
<p>이제 소셜 로그인을 할 수 있는 페이지를 만들자.</p>
<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp"><!DOCTYPE html></span>
<span class="nt"><html</span> <span class="na">lang=</span><span class="s">"ko"</span><span class="nt">></span>
<span class="nt"><head></span>
<span class="nt"><meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">></span>
<span class="nt"><title></span>Kakao Login Example<span class="nt"></title></span>
<span class="nt"><link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">href=</span><span class="s">"https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css"</span> <span class="na">integrity=</span><span class="s">"sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh"</span> <span class="na">crossorigin=</span><span class="s">"anonymous"</span><span class="nt">></span>
<span class="nt"></head></span>
<span class="nt"><body></span>
<span class="nt"><div</span> <span class="na">id=</span><span class="s">"app"</span> <span class="na">class=</span><span class="s">"container p-5"</span><span class="nt">></span>
<span class="nt"><div</span> <span class="na">v-if=</span><span class="s">"loading"</span> <span class="na">class=</span><span class="s">"spinner-grow"</span> <span class="na">role=</span><span class="s">"status"</span><span class="nt">></span>
<span class="nt"><span</span> <span class="na">class=</span><span class="s">"sr-only"</span><span class="nt">></span>Loading...<span class="nt"></span></span>
<span class="nt"></div></span>
<span class="nt"><div</span> <span class="na">v-if=</span><span class="s">"!loading"</span> <span class="na">class=</span><span class="s">"col-md-4"</span><span class="nt">></span>
<span class="nt"><button</span> <span class="na">class=</span><span class="s">"btn btn-primary"</span> <span class="na">v-if=</span><span class="s">"isLogined === false"</span> <span class="err">@</span><span class="na">click=</span><span class="s">"kakaoLogin"</span><span class="nt">></span>카카오 로그인<span class="nt"></button></span>
<span class="nt"><div</span> <span class="na">v-if=</span><span class="s">"isLogined === true"</span><span class="nt">></span>
<span class="nt"><img</span> <span class="na">:src=</span><span class="s">"profile_url"</span> <span class="na">alt=</span><span class="s">"profile image"</span> <span class="na">class=</span><span class="s">"rounded-circle rounded-sm"</span> <span class="nt">/></span>
<span class="nt"><a</span> <span class="na">href=</span><span class="s">"#"</span> <span class="na">class=</span><span class="s">"btn btn-dark"</span> <span class="err">@</span><span class="na">click=</span><span class="s">"kakaoLogout"</span><span class="nt">></span>로그아웃<span class="nt"></a></span>
<span class="nt"></div></span>
<span class="nt"></div></span>
<span class="nt"></div></span>
<span class="nt"><script </span><span class="na">src=</span><span class="s">"https://cdnjs.cloudflare.com/ajax/libs/vue/2.6.10/vue.min.js"</span><span class="nt">></script></span>
<span class="nt"><script </span><span class="na">src=</span><span class="s">"//developers.kakao.com/sdk/js/kakao.min.js"</span><span class="nt">></script></span>
<span class="nt"><script </span><span class="na">src=</span><span class="s">"https://code.jquery.com/jquery-3.4.1.min.js"</span><span class="nt">></script></span>
<span class="nt"><script </span><span class="na">src=</span><span class="s">"https://cdn.jsdelivr.net/npm/popper.js@1.16.0/dist/umd/popper.min.js"</span> <span class="na">integrity=</span><span class="s">"sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo"</span> <span class="na">crossorigin=</span><span class="s">"anonymous"</span><span class="nt">></script></span>
<span class="nt"><script </span><span class="na">src=</span><span class="s">"https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js"</span> <span class="na">integrity=</span><span class="s">"sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6"</span> <span class="na">crossorigin=</span><span class="s">"anonymous"</span><span class="nt">></script></span>
<span class="nt"><script></span>
<span class="kd">var</span> <span class="nx">KAKAO_JS_ID</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">20b1fc00b5c01b361c5e74e78f0908b3</span><span class="dl">'</span><span class="p">;</span>
<span class="nx">Kakao</span><span class="p">.</span><span class="nx">init</span><span class="p">(</span><span class="nx">KAKAO_JS_ID</span><span class="p">);</span>
<span class="k">new</span> <span class="nx">Vue</span><span class="p">({</span>
<span class="na">el</span><span class="p">:</span> <span class="dl">"</span><span class="s2">#app</span><span class="dl">"</span><span class="p">,</span>
<span class="na">data</span><span class="p">:</span> <span class="p">{</span>
<span class="na">profile_url</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span>
<span class="na">isLogined</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span>
<span class="na">loading</span><span class="p">:</span> <span class="kc">false</span>
<span class="p">},</span>
<span class="na">mounted</span><span class="p">:</span> <span class="kd">function</span> <span class="p">()</span> <span class="p">{</span>
<span class="k">this</span><span class="p">.</span><span class="nx">getKakaoLoginStatus</span><span class="p">();</span>
<span class="p">},</span>
<span class="na">methods</span><span class="p">:</span> <span class="p">{</span>
<span class="na">getKakaoLoginStatus</span><span class="p">:</span> <span class="kd">function</span> <span class="p">()</span> <span class="p">{</span>
<span class="k">this</span><span class="p">.</span><span class="nx">loading</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span>
<span class="k">this</span><span class="p">.</span><span class="nx">$nextTick</span><span class="p">(</span><span class="kd">function</span> <span class="p">()</span> <span class="p">{</span>
<span class="cm">/**
* @param {Object} statusObj - 카카오 로그인 상태를 체크
* @param {("connected" | "not_connected")} statusObj.status - 현재 로그인 상태
* @param {Object} statusObj.user - status 가 connected 일 때, 사용자 정보
* @param statusObj.user.properties - 로그인 후 사용자 정보
*/</span>
<span class="nx">Kakao</span><span class="p">.</span><span class="nx">Auth</span><span class="p">.</span><span class="nx">getStatusInfo</span><span class="p">(</span><span class="kd">function</span> <span class="p">(</span><span class="nx">statusObj</span><span class="p">)</span> <span class="p">{</span>
<span class="k">this</span><span class="p">.</span><span class="nx">loading</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="nx">statusObj</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">connected</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span>
<span class="k">this</span><span class="p">.</span><span class="nx">isLogined</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Login Connected: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">statusObj</span><span class="p">);</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">statusObj</span><span class="p">);</span>
<span class="k">this</span><span class="p">.</span><span class="nx">profile_url</span> <span class="o">=</span> <span class="nx">statusObj</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">properties</span><span class="p">.</span><span class="nx">profile_image</span><span class="p">;</span>
<span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
<span class="k">this</span><span class="p">.</span><span class="nx">isLogined</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Login Not Connected: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">statusObj</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}.</span><span class="nx">bind</span><span class="p">(</span><span class="k">this</span><span class="p">));</span>
<span class="p">})</span>
<span class="p">},</span>
<span class="cm">/**
* 카카오 로그인 팝업창을 띄우고, 로그인 프로세스를 진행한다.
*/</span>
<span class="na">kakaoLogin</span><span class="p">:</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span>
<span class="nx">Kakao</span><span class="p">.</span><span class="nx">Auth</span><span class="p">.</span><span class="nx">login</span><span class="p">({</span>
<span class="na">success</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">kakaoLoginSuccessHandler</span><span class="p">.</span><span class="nx">bind</span><span class="p">(</span><span class="k">this</span><span class="p">),</span>
<span class="na">fail</span><span class="p">:</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">alert</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">err</span><span class="p">));</span>
<span class="p">}</span>
<span class="p">})</span>
<span class="p">},</span>
<span class="cm">/**
* 카카오에 연결된 로그인 세션을 해제한다.
*/</span>
<span class="na">kakaoLogout</span><span class="p">:</span> <span class="kd">function</span> <span class="p">()</span> <span class="p">{</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">logout</span><span class="dl">'</span><span class="p">);</span>
<span class="k">this</span><span class="p">.</span><span class="nx">loading</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span>
<span class="k">this</span><span class="p">.</span><span class="nx">$nextTick</span><span class="p">(</span><span class="kd">function</span> <span class="p">()</span> <span class="p">{</span>
<span class="nx">Kakao</span><span class="p">.</span><span class="nx">Auth</span><span class="p">.</span><span class="nx">logout</span><span class="p">(</span><span class="kd">function</span> <span class="p">(</span><span class="nx">logout</span><span class="p">)</span> <span class="p">{</span>
<span class="k">this</span><span class="p">.</span><span class="nx">loading</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="nx">logout</span><span class="p">)</span> <span class="p">{</span>
<span class="k">this</span><span class="p">.</span><span class="nx">isLogined</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}.</span><span class="nx">bind</span><span class="p">(</span><span class="k">this</span><span class="p">));</span>
<span class="p">});</span>
<span class="p">},</span>
<span class="cm">/**
* 카카오에서 발급받은, access_token 으로 서버에 /oauth/kakao 로 인증요청을 한 후,
* 서버에서 발급받은 토큰을 로컬스토리지로 저장한다.
*
* @param response - 리소스에 접근 할 수 있는 토큰 오브젝
*/</span>
<span class="na">kakaoLoginSuccessHandler</span><span class="p">:</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">response</span><span class="p">)</span> <span class="p">{</span>
<span class="k">this</span><span class="p">.</span><span class="nx">isLogined</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">kakaoLoginSuccessHandler(): </span><span class="dl">'</span><span class="p">,</span> <span class="nx">response</span><span class="p">);</span>
<span class="k">this</span><span class="p">.</span><span class="nx">$nextTick</span><span class="p">(</span><span class="kd">function</span> <span class="p">()</span> <span class="p">{</span>
<span class="k">this</span><span class="p">.</span><span class="nx">getKakaoLoginStatus</span><span class="p">();</span>
<span class="nx">$</span><span class="p">.</span><span class="nx">ajax</span><span class="p">({</span>
<span class="na">url</span><span class="p">:</span> <span class="dl">"</span><span class="s2">http://localhost:8080/oauth/token</span><span class="dl">"</span><span class="p">,</span>
<span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">post</span><span class="dl">"</span><span class="p">,</span>
<span class="na">contentType</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/x-www-form-urlencoded</span><span class="dl">"</span><span class="p">,</span>
<span class="na">headers</span><span class="p">:</span> <span class="p">{</span>
<span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Basic Y2xpZW50OnNlY3JldA==</span><span class="dl">'</span><span class="p">,</span>
<span class="dl">'</span><span class="s1">x-auth-token</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Kakao </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">response</span><span class="p">.</span><span class="nx">access_token</span>
<span class="p">},</span>
<span class="na">success</span><span class="p">:</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">response</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">response</span><span class="p">);</span>
<span class="nx">localStorage</span><span class="p">.</span><span class="nx">setItem</span><span class="p">(</span><span class="dl">"</span><span class="s2">app_user</span><span class="dl">"</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">response</span><span class="p">));</span>
<span class="p">},</span>
<span class="na">error</span><span class="p">:</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span>
<span class="nx">alert</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">err</span><span class="p">));</span>
<span class="p">}</span>
<span class="p">})</span>
<span class="p">});</span>
<span class="p">},</span>
<span class="p">}</span>
<span class="p">});</span>
<span class="nt"></script></span>
<span class="nt"></body></span>
<span class="nt"></html></span>
</code></pre></div></div>
<p>간략하게 설명하자면,</p>
<p>kakao에서 access_token 발급 -> 서버로 엑세스 토큰 전송 -> 서버에서 발급받은 access_token 을 로컬스토리지로 저장 순이다.</p>
<p>이제 카카오 로그인 후, localStorage 에 서버에서 받아 온, 사용자 정보가 들어있으면</p>
<p>성공이다.</p>
<p><img src="/images/sso-final.png" alt="image" /></p>
<p>source: <a href="https://github.com/ziponia/spring-boot-oauth2-server-with-social">https://github.com/ziponia/spring-boot-oauth2-server-with-social</a></p>Spring Boot 로 Rest 방식의 소셜 로그인을 만들어보자.[SPRING] Spring Security 사용하기 #122019-05-27T00:00:00+00:002019-05-27T00:00:00+00:00https://ziponia.github.io/2019/05/27/spring-security-oauth2-high-performance<p><a href="/2019/05/22/spring-boot-oauth2-client-with-db/">지난 oauth2 client DB 로 관리하기</a> 에서 우리는</p>
<p>ClientDetailsService 인터페이스를 ClientServiceImpl 로 구현하고 loadClientByClientId 를 오버라이드 하여, 제공했었다.</p>
<p>사실 이부분은 매우 큰 결점이 있는데, Security 포스팅과 맞지 않는다고 생각하여, 그냥 넘어가려고 했지만…</p>
<p>다시 생각해 보니 언급하고 넘어가는게 좋을 것 같아서 진행 하려고 한다.</p>
<p>loadByClientByClientId 에서 clientEntity 라인 밑에 콘솔을 찍어보자. (디버깅을 돌려본다면 더 좋다.)</p>
<p>아래 영상을 보자.</p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-27/spring-oauth2-client-overhit.gif" alt="이미지" /></p>
<p>이상한 점이 보이는가?</p>
<p>단한번 토큰 발행 요청에 무료 11번 오버히트가 났다.</p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-27/oauth2-overhit-image1.png" alt="이미지" /></p>
<p>사실 이건, 같은 행동만 여러번 반복되는것이 아니고,</p>
<p>Securit 내부에서 Scope 를 만들고…인증정보만들고…client 의 각항목을 체크하고.. 권한만들고.. 하면서 나오는 현상인데</p>
<p>사실 우리에게는 매우 불필요하고, SQL 에게도 미안한 행동이다.</p>
<p>이부분을 개선시켜보자.</p>
<h1 id="cacheable">@Cacheable</h1>
<p>사실 앞에서 거창하게 이야기 했지만 복잡한게 아니고 어노테이션 두개면 끝난다.</p>
<p>먼저 maven 에 <code class="language-plaintext highlighter-rouge">spring-boot-starter-cache</code> 를 추가 해 주자.</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt"><dependencies></span>
<span class="c"><!-- more... --></span>
<span class="nt"><dependency></span>
<span class="nt"><groupId></span>org.springframework.boot<span class="nt"></groupId></span>
<span class="nt"><artifactId></span>spring-boot-starter-cache<span class="nt"></artifactId></span>
<span class="nt"></dependency></span>
<span class="c"><!-- more.. --></span>
<span class="nt"></dependencies></span>
</code></pre></div></div>
<p>다음 메인 클래스에서 <code class="language-plaintext highlighter-rouge">@EnableCaching</code> 를 선언 해주자.</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// ...</span>
<span class="nd">@EnableCaching</span>
<span class="nd">@SpringBootApplication</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityApplication</span> <span class="o">{</span>
<span class="c1">//...</span>
<span class="o">}</span>
</code></pre></div></div>
<p>ClientDetailsServiceImpl 의 loadByClientByClientId 에다 캐시 처리를 해주면 된다.</p>
<p><em>ClientDetailsServiceImpl.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">ClientDetailsServiceImpl</span> <span class="kd">implements</span> <span class="nc">ClientDetailsService</span> <span class="o">{</span>
<span class="c1">// ...</span>
<span class="nd">@Cacheable</span><span class="o">(</span><span class="s">"oauth2-load-client"</span><span class="o">)</span> <span class="c1">// new</span>
<span class="kd">public</span> <span class="nc">ClientDetails</span> <span class="nf">loadClientByClientId</span><span class="o">(</span><span class="nc">String</span> <span class="n">clientId</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">ClientRegistrationException</span> <span class="o">{</span>
<span class="c1">// ...</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>이제 테스트를 해보자.</p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-27/oauth2-overhit-final.gif" alt="이미지" /></p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-27/oauth2-ovehit-image-final.png" alt="이미지" /></p>
<p>이게 끝이다!!! :) happy~</p>지난 oauth2 client DB 로 관리하기 에서 우리는[SPRING] Spring Security 사용하기 #112019-05-26T00:00:00+00:002019-05-26T00:00:00+00:00https://ziponia.github.io/2019/05/26/spring-security-authenticationmanager<p>AuthenticationManager 를 사용하여, 원하는 시점에 로그인을 해보자.</p>
<p>지금은 항상 어떤 로그인이든지, <code class="language-plaintext highlighter-rouge">POST /login</code> 경로에서만 로그인이 되었었다.</p>
<p>AuthenticationManager 를 이용하여, 원하는 시점에 로그인이 될 수 있도록 바꿔보자.</p>
<p>먼저, AuthenticationManager 를 외부에서 사용 하기 위해, AuthenticationManagerBean 을 이용하여 Sprint Securtiy 밖으로 AuthenticationManager 빼 내야 한다.</p>
<p><em>WebSecurityConfig.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfig</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span>
<span class="c1">// ...</span>
<span class="nd">@Override</span>
<span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="c1">// ...</span>
<span class="n">http</span>
<span class="o">.</span><span class="na">requestMatchers</span><span class="o">()</span>
<span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="s">"/login/**"</span><span class="o">,</span> <span class="s">"/logout/**"</span><span class="o">,</span> <span class="s">"/private/**"</span><span class="o">,</span> <span class="s">"/admin/**"</span><span class="o">,</span> <span class="s">"/"</span><span class="o">,</span> <span class="s">"/profile/**"</span><span class="o">,</span> <span class="s">"/my-login"</span><span class="o">)</span> <span class="c1">// /my-login 을 시큐리티 관리포인트에 추가하였다.</span>
<span class="o">}</span>
<span class="nd">@Bean</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">AuthenticationManager</span> <span class="nf">authenticationManagerBean</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="k">return</span> <span class="kd">super</span><span class="o">.</span><span class="na">authenticationManagerBean</span><span class="o">();</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>이제 AuthenticationManager 를 밖에서 사용 할 수 있다.</p>
<blockquote>
<p>이렇게 하지 않으면 AuthenticationManager 를 injection 할 수 없다. 위 메서드를 주석 처리하고, 컨트롤러에서 AutehtnciationManager 를 @Autowired 하면 컴파일 에러가 난다.</p>
</blockquote>
<p>이제 SecurityController 에서 AuthenticationManager 를 inject 하고 /my-login 이라는 경로를 만들자.</p>
<p><em>SecurityController.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@RequiredArgsConstructor</span> <span class="c1">// add lombok inject</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityController</span> <span class="o">{</span>
<span class="kd">private</span> <span class="kd">final</span> <span class="nc">AuthenticationManager</span> <span class="n">authenticationManager</span><span class="o">;</span> <span class="c1">// @Autowired</span>
<span class="c1">// ...</span>
<span class="nd">@PostMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/my-login"</span><span class="o">)</span>
<span class="kd">public</span> <span class="nc">String</span> <span class="nf">customLoginProcess</span><span class="o">(</span>
<span class="nd">@RequestParam</span> <span class="nc">String</span> <span class="n">username</span><span class="o">,</span>
<span class="nd">@RequestParam</span> <span class="nc">String</span> <span class="n">password</span>
<span class="o">)</span> <span class="o">{</span>
<span class="c1">// 아이디와 패스워드로, Security 가 알아 볼 수 있는 token 객체로 변경한다.</span>
<span class="nc">UsernamePasswordAuthenticationToken</span> <span class="n">token</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UsernamePasswordAuthenticationToken</span><span class="o">(</span><span class="n">username</span><span class="o">,</span> <span class="n">password</span><span class="o">);</span>
<span class="c1">// AuthenticationManager 에 token 을 넘기면 UserDetailsService 가 받아 처리하도록 한다.</span>
<span class="nc">Authentication</span> <span class="n">authentication</span> <span class="o">=</span> <span class="n">authenticationManager</span><span class="o">.</span><span class="na">authenticate</span><span class="o">(</span><span class="n">token</span><span class="o">);</span>
<span class="c1">// 실제 SecurityContext 에 authentication 정보를 등록한다.</span>
<span class="nc">SecurityContextHolder</span><span class="o">.</span><span class="na">getContext</span><span class="o">().</span><span class="na">setAuthentication</span><span class="o">(</span><span class="n">authentication</span><span class="o">);</span>
<span class="c1">// 그외</span>
<span class="k">return</span> <span class="s">"redirect:/"</span><span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>이제 로그인 페이지에서, /login 으로 form 전송을 보내었던 url 을 /my-login 으로 바꿔보자.</p>
<p><em>templates/login.html</em></p>
<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt"><form</span> <span class="na">th:action=</span><span class="s">"@{/my-login}"</span> <span class="na">th:method=</span><span class="s">"post"</span><span class="nt">></span>
<span class="c"><!-- form.... --></span>
<span class="nt"></form></span>
</code></pre></div></div>
<p>이제 서버를 부팅 후 loginfrom 에서 로그인 을 한 후, 개인페이지로 들어가면 접근 이 잘 되는 것을 알 수 있다.</p>
<p>다음으로, 정상적으로, 로그인 처리가 되지 않았을 때, Exception 처리를 해보자.</p>
<p>AuthenticationManager 의 authenticate 은 UserDetails 컨텍스트가 내부적으로 잘못 되었다고 판단 되었을 경우,</p>
<p>AuthenticationException 을 throw 하도록 되어있고, AuthenticationException 은 다음 주요 Exception 구현체를 가지고 있다.</p>
<ul>
<li>DisabledException</li>
<li>LockedException</li>
<li>BadCredentialsException</li>
<li>UsernameNotFoundException</li>
</ul>
<p>그리고 이중에 UserDetailsServiceImpl throw 했던 UsernameNotFoundException 은 BadCredentialsException 을 호출 하도록 되어있다.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>- UsernameNotFoundException
- DaoAuthenticationProvider
- AbstractUserDetailsAuthenticationProvider
- BadCredentialsException
</code></pre></div></div>
<p>순으로 들어가게 되어 기본적으로 BadCredentialsException 을 호출 하게 되는것이다.</p>
<p>이제 코딩을 해보자.</p>
<p><em>SecurityController.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@RequiredArgsConstructor</span> <span class="c1">// add lombok inject</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityController</span> <span class="o">{</span>
<span class="kd">private</span> <span class="kd">final</span> <span class="nc">AuthenticationManager</span> <span class="n">authenticationManager</span><span class="o">;</span> <span class="c1">// @Autowired</span>
<span class="c1">// ...</span>
<span class="nd">@PostMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/my-login"</span><span class="o">)</span>
<span class="kd">public</span> <span class="nc">String</span> <span class="nf">customLoginProcess</span><span class="o">(</span>
<span class="nd">@RequestParam</span> <span class="nc">String</span> <span class="n">username</span><span class="o">,</span>
<span class="nd">@RequestParam</span> <span class="nc">String</span> <span class="n">password</span>
<span class="o">)</span> <span class="o">{</span>
<span class="c1">// 아이디와 패스워드로, Security 가 알아 볼 수 있는 token 객체로 변경한다.</span>
<span class="nc">UsernamePasswordAuthenticationToken</span> <span class="n">token</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UsernamePasswordAuthenticationToken</span><span class="o">(</span><span class="n">username</span><span class="o">,</span> <span class="n">password</span><span class="o">);</span>
<span class="k">try</span> <span class="o">{</span>
<span class="c1">// AuthenticationManager 에 token 을 넘기면 UserDetailsService 가 받아 처리하도록 한다.</span>
<span class="nc">Authentication</span> <span class="n">authentication</span> <span class="o">=</span> <span class="n">authenticationManager</span><span class="o">.</span><span class="na">authenticate</span><span class="o">(</span><span class="n">token</span><span class="o">);</span>
<span class="c1">// 실제 SecurityContext 에 authentication 정보를 등록한다.</span>
<span class="nc">SecurityContextHolder</span><span class="o">.</span><span class="na">getContext</span><span class="o">().</span><span class="na">setAuthentication</span><span class="o">(</span><span class="n">authentication</span><span class="o">);</span>
<span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">DisabledException</span> <span class="o">|</span> <span class="nc">LockedException</span> <span class="o">|</span> <span class="nc">BadCredentialsException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span>
<span class="nc">String</span> <span class="n">status</span><span class="o">;</span>
<span class="k">if</span> <span class="o">(</span><span class="n">e</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">equals</span><span class="o">(</span><span class="nc">BadCredentialsException</span><span class="o">.</span><span class="na">class</span><span class="o">))</span> <span class="o">{</span>
<span class="n">status</span> <span class="o">=</span> <span class="s">"invalid-password"</span><span class="o">;</span>
<span class="o">}</span> <span class="k">else</span> <span class="k">if</span> <span class="o">(</span><span class="n">e</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">equals</span><span class="o">(</span><span class="nc">DisabledException</span><span class="o">.</span><span class="na">class</span><span class="o">))</span> <span class="o">{</span>
<span class="n">status</span> <span class="o">=</span> <span class="s">"locked"</span><span class="o">;</span>
<span class="o">}</span> <span class="k">else</span> <span class="k">if</span> <span class="o">(</span><span class="n">e</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">equals</span><span class="o">(</span><span class="nc">LockedException</span><span class="o">.</span><span class="na">class</span><span class="o">))</span> <span class="o">{</span>
<span class="n">status</span> <span class="o">=</span> <span class="s">"disable"</span><span class="o">;</span>
<span class="o">}</span> <span class="k">else</span> <span class="o">{</span>
<span class="n">status</span> <span class="o">=</span> <span class="s">"unknown"</span><span class="o">;</span>
<span class="o">}</span>
<span class="k">return</span> <span class="s">"redirect:/login?flag="</span> <span class="o">+</span> <span class="n">status</span><span class="o">;</span>
<span class="o">}</span>
<span class="k">return</span> <span class="s">"redirect:/"</span><span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>각각 throw 된 Exceptino 을 분류 해서, status 파라미터를 나누도록 하였다.</p>
<p>이렇게, authenticationManager 를 이용하여 로그인 프로세스를 커스터마이징 해 보았다.</p>AuthenticationManager 를 사용하여, 원하는 시점에 로그인을 해보자.[SPRING] Spring Security 사용하기 #102019-05-25T00:00:00+00:002019-05-25T00:00:00+00:00https://ziponia.github.io/2019/05/25/spring-security-custom-principal<p>source: <a href="https://github.com/ziponia/spring-security-example">https://github.com/ziponia/spring-security-example</a></p>
<p>이번에는 Security Principal 객체를 커스터마이징 해보자.</p>
<p>기존에 로그인 하게 되면 기본적으로 spring security context</p>
<p>package org.springframework.security.core.userdetails.UserDetails; 를 구현하는것이며,</p>
<p><a href="/2019/05/15/spring-security-with-boot/" target="_blank">가장 첫 포스트에서 만든</a> security context 객체 는</p>
<p>Security 의 UserDetails 를 사용하기 쉽게 미리 만들어 둔, UserDetails 의 구현 객체인 User <code class="language-plaintext highlighter-rouge">org.springframework.security.core.userdetails.User</code> 객체이다.</p>
<p>이 User 객체를 살펴보게 되면 다음과 같이 생성자가 두개 미리 생성되어있다.</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">User</span> <span class="kd">implements</span> <span class="nc">UserDetails</span><span class="o">,</span> <span class="nc">CredentialsContainer</span> <span class="o">{</span>
<span class="kd">public</span> <span class="nf">User</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">,</span> <span class="nc">String</span> <span class="n">password</span><span class="o">,</span>
<span class="nc">Collection</span><span class="o"><?</span> <span class="kd">extends</span> <span class="nc">GrantedAuthority</span><span class="o">></span> <span class="n">authorities</span><span class="o">)</span> <span class="o">{</span>
<span class="c1">// ...</span>
<span class="o">}</span>
<span class="kd">public</span> <span class="nf">User</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">,</span> <span class="nc">String</span> <span class="n">password</span><span class="o">,</span> <span class="kt">boolean</span> <span class="n">enabled</span><span class="o">,</span>
<span class="kt">boolean</span> <span class="n">accountNonExpired</span><span class="o">,</span> <span class="kt">boolean</span> <span class="n">credentialsNonExpired</span><span class="o">,</span>
<span class="kt">boolean</span> <span class="n">accountNonLocked</span><span class="o">,</span> <span class="nc">Collection</span><span class="o"><?</span> <span class="kd">extends</span> <span class="nc">GrantedAuthority</span><span class="o">></span> <span class="n">authorities</span><span class="o">)</span> <span class="o">{</span>
<span class="c1">// ...</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>하나는 단순하게 아이디, 비밀번호, 권한을 생성하는 컨스트럭터이고,</p>
<p>다른 하나는 아이디, 비밀번호, 사용가능여부, 만료여부, 비밀번호가 만려되었는지, 잠겨있는지, 권한 을 생성하는 객체이다.</p>
<p>아이디, 비밀번호, 권한 을 제외하고는 설정하지 않으면 기본적으로 true 이다.</p>
<p>그런데, 왼지 컨텍스트에 위에 정보들만 가지고 다니기 좀 꺼림칙 하다.</p>
<p>예를들면, 우리의 서비스는 임대형이고, 각 페이지를 돌아다니면서 각각 사용자의 맞는 리소스를 가지고 오려면 위의 컨텍스트 객체의 username 을 가지고 온 다음,</p>
<p>DB 에서 username 에 대한 유저 객체를 조회하고, 조회한 유저 객체가 속한 그룹 정보를 가지고 와야 한다.</p>
<blockquote>
<p>더 좋은 방법도 있겠지만, 설득을 위해 조금 억지를 부려 보았다. 납득하자.</p>
</blockquote>
<p>이걸 security context 에서 바로 해당 유저의 그룹 정보가 ‘미리’ 담겨 있다면, 왼지 더 심플 해 질 것 같다.</p>
<p>예시를 보자.</p>
<p>먼저 사용자가 속한 그룹을 만들자.</p>
<p><em>GroupEntity.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">package</span> <span class="nn">ziponia.spring.security</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">lombok.Getter</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">lombok.Setter</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.hibernate.annotations.CreationTimestamp</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.hibernate.annotations.UpdateTimestamp</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">javax.persistence.*</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">java.util.Collection</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">java.util.Date</span><span class="o">;</span>
<span class="nd">@Entity</span>
<span class="nd">@Getter</span>
<span class="nd">@Setter</span>
<span class="nd">@Table</span><span class="o">(</span><span class="n">name</span> <span class="o">=</span> <span class="s">"tbl_group"</span><span class="o">)</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">GroupEntity</span> <span class="o">{</span>
<span class="nd">@Id</span>
<span class="nd">@GeneratedValue</span>
<span class="kd">private</span> <span class="nc">Integer</span> <span class="n">idx</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">String</span> <span class="n">groupName</span><span class="o">;</span>
<span class="nd">@OneToMany</span><span class="o">(</span><span class="n">mappedBy</span> <span class="o">=</span> <span class="s">"group"</span><span class="o">)</span>
<span class="kd">private</span> <span class="nc">Collection</span><span class="o"><</span><span class="nc">UserEntity</span><span class="o">></span> <span class="n">users</span><span class="o">;</span>
<span class="nd">@CreationTimestamp</span>
<span class="kd">private</span> <span class="nc">Date</span> <span class="n">createTime</span><span class="o">;</span>
<span class="nd">@UpdateTimestamp</span>
<span class="kd">private</span> <span class="nc">Date</span> <span class="n">updateTime</span><span class="o">;</span>
<span class="o">}</span>
</code></pre></div></div>
<p>그리고 tbl_user 에 group 을 추가하자.</p>
<p><em>UserEntity.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserEntity</span> <span class="o">{</span>
<span class="c1">// ...</span>
<span class="nd">@ManyToOne</span><span class="o">(</span><span class="n">fetch</span> <span class="o">=</span> <span class="nc">FetchType</span><span class="o">.</span><span class="na">LAZY</span><span class="o">)</span>
<span class="kd">private</span> <span class="nc">GroupEntity</span> <span class="n">group</span><span class="o">;</span>
<span class="o">}</span>
</code></pre></div></div>
<p>GroupEntity 와 UserEntity 는 1:n 양방향 관계로 설정하고, LAZY 로딩을 채택 하였다.</p>
<p>이제 import.sql 구문에 기본 group 을 만들고, user 테이블에 해당 그룹을 설정하겠다.</p>
<p><em>import.sql</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">insert</span> <span class="n">into</span> <span class="nf">tbl_group</span> <span class="o">(</span><span class="n">idx</span><span class="o">,</span> <span class="n">group_name</span><span class="o">,</span> <span class="n">create_time</span><span class="o">)</span> <span class="n">values</span> <span class="o">(</span><span class="mi">1</span><span class="o">,</span> <span class="err">'</span><span class="n">제프컴퍼니</span><span class="err">'</span><span class="o">,</span> <span class="n">current_timestamp</span><span class="o">());</span>
<span class="n">insert</span> <span class="n">into</span> <span class="nf">tbl_users</span> <span class="o">(</span><span class="n">idx</span><span class="o">,</span> <span class="n">username</span><span class="o">,</span> <span class="n">password</span><span class="o">,</span> <span class="n">nick_name</span><span class="o">,</span> <span class="n">group_idx</span><span class="o">)</span> <span class="n">values</span> <span class="o">(</span><span class="mi">1</span><span class="o">,</span> <span class="err">'</span><span class="n">user</span><span class="err">'</span><span class="o">,</span> <span class="err">'</span><span class="o">{</span><span class="n">bcrypt</span><span class="o">}</span><span class="err">$</span><span class="mi">2</span><span class="n">a</span><span class="err">$</span><span class="mi">10</span><span class="n">$Wyc</span><span class="o">.</span><span class="na">IrbO</span><span class="o">.</span><span class="na">bqraF58565Yde6J6heWdARvbDUKfaQYr9v</span><span class="o">/</span><span class="nc">IoHcQ1RlK</span><span class="err">'</span><span class="o">,</span> <span class="err">'</span><span class="n">제프</span><span class="err">'</span><span class="o">,</span> <span class="mi">1</span><span class="o">);</span>
<span class="n">insert</span> <span class="n">into</span> <span class="nf">tbl_users</span> <span class="o">(</span><span class="n">idx</span><span class="o">,</span> <span class="n">username</span><span class="o">,</span> <span class="n">password</span><span class="o">,</span> <span class="n">nick_name</span><span class="o">,</span> <span class="n">group_idx</span><span class="o">)</span> <span class="n">values</span> <span class="o">(</span><span class="mi">2</span><span class="o">,</span> <span class="err">'</span><span class="n">admin</span><span class="err">'</span><span class="o">,</span> <span class="err">'</span><span class="o">{</span><span class="n">bcrypt</span><span class="o">}</span><span class="err">$</span><span class="mi">2</span><span class="n">a</span><span class="err">$</span><span class="mi">10</span><span class="n">$Wyc</span><span class="o">.</span><span class="na">IrbO</span><span class="o">.</span><span class="na">bqraF58565Yde6J6heWdARvbDUKfaQYr9v</span><span class="o">/</span><span class="nc">IoHcQ1RlK</span><span class="err">'</span><span class="o">,</span> <span class="err">'</span><span class="n">블로그</span> <span class="n">관리자</span><span class="err">'</span><span class="o">,</span> <span class="mi">1</span><span class="o">);</span>
<span class="n">insert</span> <span class="n">into</span> <span class="nf">tbl_oauth_client</span> <span class="o">(</span><span class="n">idx</span><span class="o">,</span> <span class="n">authorities</span><span class="o">,</span> <span class="n">auto_approve</span><span class="o">,</span> <span class="n">client_id</span><span class="o">,</span> <span class="n">client_secret</span><span class="o">,</span> <span class="n">grant_types</span><span class="o">,</span> <span class="n">redirect_uri</span><span class="o">,</span> <span class="n">scope</span><span class="o">,</span> <span class="n">user_entity_idx</span><span class="o">)</span> <span class="n">values</span> <span class="o">(</span><span class="mi">1</span><span class="o">,</span> <span class="err">'</span><span class="no">CLIENT</span><span class="err">'</span><span class="o">,</span> <span class="kc">false</span><span class="o">,</span> <span class="err">'</span><span class="n">client</span><span class="err">'</span><span class="o">,</span> <span class="err">'</span><span class="o">{</span><span class="n">bcrypt</span><span class="o">}</span><span class="err">$</span><span class="mi">2</span><span class="n">a</span><span class="err">$</span><span class="mi">10</span><span class="n">$cxEU57mmmEm9FfhAJBMW7ec9oG4Y5Uq4Os8CfpxoL6TLzxPCCqzXK</span><span class="err">'</span><span class="o">,</span> <span class="err">'</span><span class="n">client_credentials</span><span class="o">,</span><span class="n">authorization_code</span><span class="o">,</span><span class="n">refresh_token</span><span class="o">,</span><span class="n">password</span><span class="err">'</span><span class="o">,</span> <span class="err">'</span><span class="nl">http:</span><span class="c1">//localhost:4000/api/callback', 'read,basic,profile', 1);</span>
</code></pre></div></div>
<p>tbl_group 에 1번 레코드에 ‘제프컴퍼니’ 라는 그룹을 추가하고, user 계정 group 에 제프컴퍼니를 추가 해 주었다.</p>
<blockquote>
<p>스크립트 상으로, tbl_group 이 tbl_user 보다 먼저 올라와야 한다.</p>
</blockquote>
<p>이제 UserController 에서 유저 그룹 정보를 가지고 오는 <code class="language-plaintext highlighter-rouge">GET /profile/group</code> 를 만들고, 그룹정보를 가지고 오자.</p>
<p><em>UserController.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserController</span> <span class="o">{</span>
<span class="c1">//...</span>
<span class="nd">@PersistenceContext</span>
<span class="kd">private</span> <span class="nc">EntityManager</span> <span class="n">em</span><span class="o">;</span> <span class="c1">// JPA</span>
<span class="nd">@GetMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/profile/group"</span><span class="o">)</span>
<span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">"isAuthenticated()"</span><span class="o">)</span>
<span class="kd">public</span> <span class="nc">String</span> <span class="nf">myGroup</span><span class="o">(</span>
<span class="nd">@AuthenticationPrincipal</span> <span class="nc">Authentication</span> <span class="n">authentication</span><span class="o">,</span>
<span class="nc">Model</span> <span class="n">model</span>
<span class="o">)</span> <span class="o">{</span>
<span class="c1">// user 정보를 가지고 온다.</span>
<span class="nc">UserEntity</span> <span class="n">user</span> <span class="o">=</span> <span class="n">em</span><span class="o">.</span><span class="na">createQuery</span><span class="o">(</span><span class="s">"select u from UserEntity u where u.username = :username"</span><span class="o">,</span> <span class="nc">UserEntity</span><span class="o">.</span><span class="na">class</span><span class="o">)</span>
<span class="o">.</span><span class="na">setParameter</span><span class="o">(</span><span class="s">"username"</span><span class="o">,</span> <span class="n">authentication</span><span class="o">.</span><span class="na">getName</span><span class="o">()).</span><span class="na">getSingleResult</span><span class="o">();</span>
<span class="c1">// group 정보를 가지고 온다.</span>
<span class="nc">GroupEntity</span> <span class="n">group</span> <span class="o">=</span> <span class="n">em</span><span class="o">.</span><span class="na">createQuery</span><span class="o">(</span><span class="s">"select g from GroupEntity g where g.idx = :idx"</span><span class="o">,</span> <span class="nc">GroupEntity</span><span class="o">.</span><span class="na">class</span><span class="o">)</span>
<span class="o">.</span><span class="na">setParameter</span><span class="o">(</span><span class="s">"idx"</span><span class="o">,</span> <span class="n">user</span><span class="o">.</span><span class="na">getGroup</span><span class="o">().</span><span class="na">getIdx</span><span class="o">()).</span><span class="na">getSingleResult</span><span class="o">();</span>
<span class="n">model</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="s">"group"</span><span class="o">,</span> <span class="n">group</span><span class="o">);</span>
<span class="k">return</span> <span class="s">"user_group"</span><span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>이제 user_group 페이지를 만들고 네비게이션 메뉴에 추가하자.</p>
<p><em>templates/user_group.html</em></p>
<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt"><template</span>
<span class="na">xmlns:th=</span><span class="s">"http://www.thymeleaf.org"</span>
<span class="na">xmlns:layout=</span><span class="s">"http://www.ultraq.net.nz/thymeleaf/layout"</span>
<span class="na">layout:decorator=</span><span class="s">"layout/layout"</span>
<span class="na">th:remove=</span><span class="s">"tag"</span>
<span class="nt">></span>
<span class="nt"><th:block</span> <span class="na">layout:fragment=</span><span class="s">"contents"</span><span class="nt">></span>
<span class="nt"><h1></span>제 그룹은 [[ ${group.groupName} ]] 입니다.<span class="nt"></h1></span>
<span class="nt"></th:block></span>
<span class="nt"></template></span>
</code></pre></div></div>
<p><em>templates/layout/navigation.html</em></p>
<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt"><template</span>
<span class="na">xmlns:th=</span><span class="s">"http://www.thymeleaf.org"</span>
<span class="na">xmlns:layout=</span><span class="s">"http://www.ultraq.net.nz/thymeleaf/layout"</span>
<span class="na">th:remove=</span><span class="s">"tag"</span>
<span class="nt">></span>
<span class="nt"><th:block</span> <span class="na">layout:fragment=</span><span class="s">"navigation"</span><span class="nt">></span>
<span class="nt"><nav</span> <span class="na">class=</span><span class="s">"navbar navbar-default"</span><span class="nt">></span>
<span class="nt"><ul</span> <span class="na">class=</span><span class="s">"nav navbar-nav"</span><span class="nt">></span>
<span class="nt"><li><a</span> <span class="na">th:href=</span><span class="s">"@{/}"</span><span class="nt">></span>홈<span class="nt"></a></li></span>
<span class="nt"><li><a</span> <span class="na">th:href=</span><span class="s">"@{/admin}"</span><span class="nt">></span>관리자 페이지<span class="nt"></a></li></span>
<span class="nt"><li><a</span> <span class="na">th:href=</span><span class="s">"@{/private}"</span><span class="nt">></span>개인 페이지<span class="nt"></a></li></span>
<span class="nt"><li><a</span> <span class="na">th:href=</span><span class="s">"@{/profile}"</span><span class="nt">></span>유저 검색 페이지<span class="nt"></a></li></span>
<span class="c"><!-- new --></span>
<span class="nt"><li><a</span> <span class="na">th:href=</span><span class="s">"@{/profile/group}"</span><span class="nt">></span>내 그룹 관리<span class="nt"></a></li></span>
<span class="nt"><li></span>
<span class="nt"><a</span> <span class="na">href=</span><span class="s">"javascript: void(0);"</span> <span class="na">onclick=</span><span class="s">"document.getElementById('logout-form').submit()"</span><span class="nt">></span>
로그아웃
<span class="nt"></a></span>
<span class="nt"></li></span>
<span class="nt"></ul></span>
<span class="nt"></nav></span>
<span class="nt"><form</span> <span class="na">id=</span><span class="s">"logout-form"</span> <span class="na">th:action=</span><span class="s">"@{/logout}"</span> <span class="na">method=</span><span class="s">"post"</span><span class="nt">></form></span>
<span class="nt"></th:block></span>
<span class="nt"></template></span>
</code></pre></div></div>
<p>이제 <a href="http://localhost:8080/profile/group">http://localhost:8080/profile/group</a> 로 들어 가 보면 아래 페이지를 볼 수 있을 것이다.</p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-26/spring-security-principal-default.png" alt="이미지" /></p>
<p>근데 문제가 있다.</p>
<p>컨트롤러를 살펴 보면</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// user 정보를 가지고 온다.</span>
<span class="nc">UserEntity</span> <span class="n">user</span> <span class="o">=</span> <span class="n">em</span><span class="o">.</span><span class="na">createQuery</span><span class="o">(</span><span class="s">"select u from UserEntity u where u.username = :username"</span><span class="o">,</span> <span class="nc">UserEntity</span><span class="o">.</span><span class="na">class</span><span class="o">)</span>
<span class="o">.</span><span class="na">setParameter</span><span class="o">(</span><span class="s">"username"</span><span class="o">,</span> <span class="n">authentication</span><span class="o">.</span><span class="na">getName</span><span class="o">()).</span><span class="na">getSingleResult</span><span class="o">();</span>
<span class="c1">// group 정보를 가지고 온다.</span>
<span class="nc">GroupEntity</span> <span class="n">group</span> <span class="o">=</span> <span class="n">em</span><span class="o">.</span><span class="na">createQuery</span><span class="o">(</span><span class="s">"select g from GroupEntity g where g.idx = :idx"</span><span class="o">,</span> <span class="nc">GroupEntity</span><span class="o">.</span><span class="na">class</span><span class="o">)</span>
<span class="o">.</span><span class="na">setParameter</span><span class="o">(</span><span class="s">"idx"</span><span class="o">,</span> <span class="n">user</span><span class="o">.</span><span class="na">getGroup</span><span class="o">().</span><span class="na">getIdx</span><span class="o">()).</span><span class="na">getSingleResult</span><span class="o">();</span>
</code></pre></div></div>
<p>user 정보를 가져와, 유저가 가지고 있는 group의 fk 값을 조회하고, 조회 한 fk 값으로 group 정보를 조회하는 쿼리가 2개 인 것이다.</p>
<p>이 부분을 개선하기 위해, SecurityContext 에 저장 될 Context 객체를 수정 해보자.</p>
<p>먼저 Security 의 User 객체를 상속 할 CustomUserDetail 객체를 만들자.</p>
<p><em>CustomUserDetail.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">package</span> <span class="nn">ziponia.spring.security</span><span class="o">;</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">CustomUserDetail</span> <span class="o">{</span>
<span class="o">}</span>
</code></pre></div></div>
<p>그리고 이 객체는 User 객체를 상속한다.</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">CustomUserDetail</span> <span class="kd">extends</span> <span class="nc">User</span> <span class="o">{</span>
<span class="kd">public</span> <span class="nf">CustomUserDetail</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">,</span> <span class="nc">String</span> <span class="n">password</span><span class="o">,</span> <span class="nc">Collection</span><span class="o"><?</span> <span class="kd">extends</span> <span class="nc">GrantedAuthority</span><span class="o">></span> <span class="n">authorities</span><span class="o">)</span> <span class="o">{</span>
<span class="kd">super</span><span class="o">(</span><span class="n">username</span><span class="o">,</span> <span class="n">password</span><span class="o">,</span> <span class="n">authorities</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>Security User 의 username 과 password 와 authorities 만 가지고 있는 컨스트럭터를 상속하였다.</p>
<p>그리고 group 아이디 필드를 만들자</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">CustomUserDetail</span> <span class="kd">extends</span> <span class="nc">User</span> <span class="o">{</span>
<span class="kd">private</span> <span class="nc">Integer</span> <span class="n">groupIdx</span><span class="o">;</span>
<span class="kd">public</span> <span class="nf">CustomUserDetail</span><span class="o">(</span><span class="nc">String</span> <span class="n">username</span><span class="o">,</span> <span class="nc">String</span> <span class="n">password</span><span class="o">,</span> <span class="nc">Collection</span><span class="o"><?</span> <span class="kd">extends</span> <span class="nc">GrantedAuthority</span><span class="o">></span> <span class="n">authorities</span><span class="o">,</span> <span class="nc">Integer</span> <span class="n">groupIdx</span><span class="o">)</span> <span class="o">{</span>
<span class="kd">super</span><span class="o">(</span><span class="n">username</span><span class="o">,</span> <span class="n">password</span><span class="o">,</span> <span class="n">authorities</span><span class="o">);</span>
<span class="k">this</span><span class="o">.</span><span class="na">groupIdx</span> <span class="o">=</span> <span class="n">groupIdx</span><span class="o">;</span>
<span class="o">}</span>
<span class="kd">public</span> <span class="nc">Integer</span> <span class="nf">getGroupIdx</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">groupIdx</span><span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>컨스트럭터의 4번째 인자값으로, groupIdx 를 넣고, 멤버변수에 groupIdx 로 집어 넣어 준 다음, getter 를 만들었다.</p>
<p>이제 UserDetailsServiceImpl 에서 new User(…) 를 우리가 만든 CustomUserDetail 로 변경하자.</p>
<p><em>UserDetailsServiceImpl.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserDetailsServiceImpl</span> <span class="kd">implements</span> <span class="nc">UserDetailsService</span> <span class="o">{</span>
<span class="c1">// ... some</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">UserDetails</span> <span class="nf">loadUserByUsername</span><span class="o">(</span><span class="nc">String</span> <span class="n">s</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">UsernameNotFoundException</span> <span class="o">{</span>
<span class="c1">// ... some</span>
<span class="k">return</span> <span class="k">new</span> <span class="nf">CustomUserDetail</span><span class="o">(</span><span class="n">userEntity</span><span class="o">.</span><span class="na">getUsername</span><span class="o">(),</span> <span class="n">userEntity</span><span class="o">.</span><span class="na">getPassword</span><span class="o">(),</span> <span class="n">authorities</span><span class="o">,</span> <span class="n">userEntity</span><span class="o">.</span><span class="na">getGroup</span><span class="o">().</span><span class="na">getIdx</span><span class="o">());</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>마지막으로 UserController 에서 /profile/group 에 들어있는 Authentication 객체를 CustomUserDetail 로 변경 하고, 기존에 userEntity 를 가지고 오는 객체를 주석 처리 해주면, 쿼리 한번으로 그룹을 조회 할 수 있다.</p>
<p><em>UserController.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserController</span> <span class="o">{</span>
<span class="c1">// ...</span>
<span class="nd">@GetMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/profile/group"</span><span class="o">)</span>
<span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">"isAuthenticated()"</span><span class="o">)</span>
<span class="kd">public</span> <span class="nc">String</span> <span class="nf">myGroup</span><span class="o">(</span>
<span class="c1">// Authentication -> CustomUserDetail</span>
<span class="nd">@AuthenticationPrincipal</span> <span class="nc">CustomUserDetail</span> <span class="n">authentication</span>
<span class="nc">Model</span> <span class="n">model</span>
<span class="o">)</span> <span class="o">{</span>
<span class="c1">// user 정보를 가지고 온다.</span>
<span class="cm">/*UserEntity user = em.createQuery("select u from UserEntity u where u.username = :username", UserEntity.class)
.setParameter("username", authentication.getName()).getSingleResult();*/</span>
<span class="c1">// group 정보를 가지고 온다.</span>
<span class="nc">GroupEntity</span> <span class="n">group</span> <span class="o">=</span> <span class="n">em</span><span class="o">.</span><span class="na">createQuery</span><span class="o">(</span><span class="s">"select g from GroupEntity g where g.idx = :idx"</span><span class="o">,</span> <span class="nc">GroupEntity</span><span class="o">.</span><span class="na">class</span><span class="o">)</span>
<span class="o">.</span><span class="na">setParameter</span><span class="o">(</span><span class="s">"idx"</span><span class="o">,</span> <span class="n">authentication</span><span class="o">.</span><span class="na">getGroupIdx</span><span class="o">()).</span><span class="na">getSingleResult</span><span class="o">();</span>
<span class="n">model</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="s">"group"</span><span class="o">,</span> <span class="n">group</span><span class="o">);</span>
<span class="k">return</span> <span class="s">"user_group"</span><span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<blockquote>
<p>만약에 서버 부팅 후 에러가 난다면, 홈으로 가서 로그아웃 후 다시 접속 하자. SecurityContext 에 groupIdx 가 담기지 안은 상태로, 컨텍스트 객체가 만들어 지지 않아서 생기는 문제이다.</p>
</blockquote>
<p>이렇게 SecurityContext 객체를 입맛대로 수정 해 보았다.</p>
<p>이제 입맛대로 다른 정보들도 관리 해보자.</p>source: https://github.com/ziponia/spring-security-example[SPRING] Spring Security 사용하기 #92019-05-24T00:00:00+00:002019-05-24T00:00:00+00:00https://ziponia.github.io/2019/05/24/spring-security-annotation-filter<p>@PreAuthorize 와 @PostAuthorize 에 대해서 알아보자.</p>
<p>오늘 할일
<img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-24/spring-security-annotation-final.gif" alt="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-24/spring-security-annotation-final.gif" /></p>
<p>현재까지 우리 프로젝트는 접근관리를, configuration 으로 관리했다.</p>
<p>WebSecurityConfig 파일을 보자</p>
<p><em>WebSecurityConfig.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfig</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span>
<span class="c1">// ...</span>
<span class="nd">@Override</span>
<span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="n">http</span>
<span class="o">.</span><span class="na">requestMatchers</span><span class="o">()</span>
<span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="s">"/login/**"</span><span class="o">,</span> <span class="s">"/logout/**"</span><span class="o">,</span> <span class="s">"/private/**"</span><span class="o">,</span> <span class="s">"/admin/**"</span><span class="o">,</span> <span class="s">"/"</span><span class="o">)</span>
<span class="o">.</span><span class="na">and</span><span class="o">()</span>
<span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span>
<span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/private/**"</span><span class="o">).</span><span class="na">hasAnyRole</span><span class="o">(</span><span class="s">"USER"</span><span class="o">)</span>
<span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/admin/**"</span><span class="o">).</span><span class="na">hasAnyRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span>
<span class="c1">// ...</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>private/ 경로에응 ROLE_USER 를 가지고 있는 user 만 접근가능하고, /admin 경로는 ROLE_ADMIN 경로만 가지고 있는 사람만 접근 가능하다.</p>
<p>하지만, 항상 url 패턴으로 상세하게 관리하기는 조금 버거운 면이 있다.</p>
<p>이런 시나리오를 생각 해 보자.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>zef 라는 유저가 글을 썻다.
zipo 라는 유저가 zef 의 글을 수정한다.
</code></pre></div></div>
<p>일반 게시판의 위에 시나리오대로 한다면, 누구든지 말이 안되는 것을 인지 하면서도, 시큐리티 입장에서는 허용가능하다.</p>
<p>zef 라는 user 도 USER 역할을 하고있고, zipo 라는 유저도 수정 할 수 있다는 것이다.</p>
<p>코드로 한번 알아보자.</p>
<p>먼저 tbl_user 테이블에 nickname 이라고 만들고, sql 에 nickname 을 추가해보자.</p>
<p><em>UserEntity.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserEntity</span> <span class="o">{</span>
<span class="c1">// ...</span>
<span class="kd">private</span> <span class="nc">String</span> <span class="n">nickName</span><span class="o">;</span>
<span class="c1">// ...</span>
<span class="o">}</span>
</code></pre></div></div>
<div class="language-sql highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">insert</span> <span class="k">into</span> <span class="n">tbl_users</span> <span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span> <span class="n">nick_name</span><span class="p">)</span> <span class="k">values</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="s1">'user'</span><span class="p">,</span> <span class="s1">'{bcrypt}$2a$10$Wyc.IrbO.bqraF58565Yde6J6heWdARvbDUKfaQYr9v/IoHcQ1RlK'</span><span class="p">,</span> <span class="s1">'제프'</span><span class="p">);</span>
<span class="k">insert</span> <span class="k">into</span> <span class="n">tbl_users</span> <span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span> <span class="n">nick_name</span><span class="p">)</span> <span class="k">values</span> <span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="s1">'admin'</span><span class="p">,</span> <span class="s1">'{bcrypt}$2a$10$Wyc.IrbO.bqraF58565Yde6J6heWdARvbDUKfaQYr9v/IoHcQ1RlK'</span><span class="p">,</span> <span class="s1">'블로그 관리자'</span><span class="p">);</span>
<span class="k">insert</span> <span class="k">into</span> <span class="n">tbl_oauth_client</span> <span class="p">(</span><span class="n">idx</span><span class="p">,</span> <span class="n">authorities</span><span class="p">,</span> <span class="n">auto_approve</span><span class="p">,</span> <span class="n">client_id</span><span class="p">,</span> <span class="n">client_secret</span><span class="p">,</span> <span class="n">grant_types</span><span class="p">,</span> <span class="n">redirect_uri</span><span class="p">,</span> <span class="k">scope</span><span class="p">,</span> <span class="n">user_entity_idx</span><span class="p">)</span> <span class="k">values</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="s1">'CLIENT'</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="s1">'client'</span><span class="p">,</span> <span class="s1">'{bcrypt}$2a$10$cxEU57mmmEm9FfhAJBMW7ec9oG4Y5Uq4Os8CfpxoL6TLzxPCCqzXK'</span><span class="p">,</span> <span class="s1">'client_credentials,authorization_code,refresh_token,password'</span><span class="p">,</span> <span class="s1">'http://localhost:4000/api/callback'</span><span class="p">,</span> <span class="s1">'read,basic,profile'</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span>
</code></pre></div></div>
<p>sql 에 nick_name 부분을 추가하고, value 에다 user 는 제프, admin 은 블로그 관리자 라는 닉네임을 주었다.</p>
<p>다음으로, UserController 를 만들자.</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">package</span> <span class="nn">ziponia.spring.security</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">lombok.RequiredArgsConstructor</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.access.prepost.PreAuthorize</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.stereotype.Controller</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.ui.Model</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.GetMapping</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.PostMapping</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.RequestParam</span><span class="o">;</span>
<span class="nd">@Controller</span>
<span class="nd">@RequiredArgsConstructor</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserController</span> <span class="o">{</span>
<span class="kd">private</span> <span class="kd">final</span> <span class="nc">UserRepository</span> <span class="n">userRepository</span><span class="o">;</span>
<span class="nd">@GetMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/profile"</span><span class="o">)</span>
<span class="kd">public</span> <span class="nc">String</span> <span class="nf">userProfilePage</span><span class="o">(</span>
<span class="nd">@RequestParam</span><span class="o">(</span><span class="n">required</span> <span class="o">=</span> <span class="kc">false</span><span class="o">)</span> <span class="nc">String</span> <span class="n">username</span><span class="o">,</span>
<span class="nc">Model</span> <span class="n">model</span>
<span class="o">)</span> <span class="o">{</span>
<span class="nc">UserEntity</span> <span class="n">user</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span>
<span class="k">if</span> <span class="o">(</span><span class="n">username</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span>
<span class="n">user</span> <span class="o">=</span> <span class="n">userRepository</span><span class="o">.</span><span class="na">findByUsername</span><span class="o">(</span><span class="n">username</span><span class="o">);</span>
<span class="o">}</span>
<span class="n">model</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="s">"user"</span><span class="o">,</span> <span class="n">user</span><span class="o">);</span>
<span class="k">return</span> <span class="s">"profile"</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@PostMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/profile/update"</span><span class="o">)</span>
<span class="kd">public</span> <span class="nc">String</span> <span class="nf">userProfileUpdate</span><span class="o">(</span><span class="nc">UserEntity</span> <span class="n">entity</span><span class="o">)</span> <span class="o">{</span>
<span class="nc">UserEntity</span> <span class="n">findUser</span> <span class="o">=</span> <span class="n">userRepository</span><span class="o">.</span><span class="na">findByUsername</span><span class="o">(</span><span class="n">entity</span><span class="o">.</span><span class="na">getUsername</span><span class="o">());</span>
<span class="n">findUser</span><span class="o">.</span><span class="na">setNickName</span><span class="o">(</span><span class="n">entity</span><span class="o">.</span><span class="na">getNickName</span><span class="o">());</span>
<span class="n">userRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">findUser</span><span class="o">);</span>
<span class="k">return</span> <span class="s">"redirect:/profile?username="</span> <span class="o">+</span> <span class="n">findUser</span><span class="o">.</span><span class="na">getUsername</span><span class="o">();</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>username 을 받아, 유저를 검색하고, /profile/update 로 nickname 을 수정 하는 컨트롤러를 만들었다.</p>
<p>이제 profile 화면을 만들자.</p>
<p><em>profiile.html</em></p>
<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt"><html</span> <span class="na">xmlns:th=</span><span class="s">"http://www.thymeleaf.org"</span>
<span class="na">xmlns:layout=</span><span class="s">"http://www.ultraq.net.nz/thymeleaf/layout"</span>
<span class="na">layout:decorator=</span><span class="s">"layout/layout"</span><span class="nt">></span>
<span class="nt"><th:block</span> <span class="na">layout:fragment=</span><span class="s">"contents"</span><span class="nt">></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"row"</span><span class="nt">></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"col-md-6"</span><span class="nt">></span>
<span class="nt"><form</span> <span class="na">action=</span><span class="s">"#"</span> <span class="na">th:action=</span><span class="s">"@{/profile}"</span> <span class="na">method=</span><span class="s">"get"</span> <span class="na">class=</span><span class="s">"form-group block"</span><span class="nt">></span>
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"search"</span> <span class="na">name=</span><span class="s">"username"</span> <span class="na">class=</span><span class="s">"form-control"</span> <span class="na">placeholder=</span><span class="s">"찾으시려는 유저를 검색 해주세요."</span> <span class="na">th:value=</span><span class="s">"${#request.getParameter('username')}"</span><span class="nt">></span>
<span class="nt"></form></span>
<span class="nt"></div></span>
<span class="nt"></div></span>
<span class="nt"><h1</span> <span class="na">th:if=</span><span class="s">"${#request.getParameter('username') == '' and user == null}"</span><span class="nt">></span>
유저를 찾을 수 없습니다.
<span class="nt"></h1></span>
<span class="nt"><template</span> <span class="na">th:if=</span><span class="s">"${user != null}"</span> <span class="na">th:remove=</span><span class="s">"tag"</span><span class="nt">></span>
<span class="nt"><h1</span> <span class="na">th:inline=</span><span class="s">"text"</span><span class="nt">></span>
[[ ${user.nickName} ]] 님 의 프로필 입니다
<span class="nt"></h1></span>
<span class="nt"><form</span> <span class="na">action=</span><span class="s">"#"</span> <span class="na">th:object=</span><span class="s">"${user}"</span> <span class="na">th:action=</span><span class="s">"@{/profile/update}"</span> <span class="na">method=</span><span class="s">"post"</span> <span class="na">class=</span><span class="s">"form-group"</span><span class="nt">></span>
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"hidden"</span> <span class="na">th:field=</span><span class="s">"*{username}"</span><span class="nt">/></span>
<span class="nt"><label</span> <span class="na">th:for=</span><span class="s">"${user.nickName}"</span> <span class="na">class=</span><span class="s">"control-label"</span><span class="nt">></span>
닉네임
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">th:field=</span><span class="s">"*{nickName}"</span> <span class="na">class=</span><span class="s">"form-control"</span><span class="nt">/></span>
<span class="nt"></label></span>
<span class="nt"><button</span> <span class="na">type=</span><span class="s">"submit"</span> <span class="na">class=</span><span class="s">"btn btn-primary"</span><span class="nt">></span>수정하기<span class="nt"></button></span>
<span class="nt"></form></span>
<span class="nt"></template></span>
<span class="nt"></th:block></span>
<span class="nt"></html></span>
</code></pre></div></div>
<p>마지막으로, 네비게이션 메뉴에 /profile 경로를 추가하자.</p>
<p><em>navigation.html</em></p>
<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nt"><html</span> <span class="na">xmlns:th=</span><span class="s">"http://www.thymeleaf.org"</span> <span class="na">xmlns:layout=</span><span class="s">"http://www.ultraq.net.nz/thymeleaf/layout"</span><span class="nt">></span>
<span class="nt"><th:block</span> <span class="na">layout:fragment=</span><span class="s">"navigation"</span><span class="nt">></span>
<span class="nt"><nav</span> <span class="na">class=</span><span class="s">"navbar navbar-default"</span><span class="nt">></span>
<span class="nt"><ul</span> <span class="na">class=</span><span class="s">"nav navbar-nav"</span><span class="nt">></span>
<span class="nt"><li><a</span> <span class="na">th:href=</span><span class="s">"@{/}"</span><span class="nt">></span>홈<span class="nt"></a></li></span>
<span class="nt"><li><a</span> <span class="na">th:href=</span><span class="s">"@{/admin}"</span><span class="nt">></span>관리자 페이지<span class="nt"></a></li></span>
<span class="nt"><li><a</span> <span class="na">th:href=</span><span class="s">"@{/private}"</span><span class="nt">></span>개인 페이지<span class="nt"></a></li></span>
<span class="c"><!-- 여기 --></span>
<span class="nt"><li><a</span> <span class="na">th:href=</span><span class="s">"@{/profile}"</span><span class="nt">></span>유저 검색 페이지<span class="nt"></a></li></span>
<span class="nt"><li></span>
<span class="nt"><a</span> <span class="na">href=</span><span class="s">"javascript: void(0);"</span> <span class="na">onclick=</span><span class="s">"document.getElementById('logout-form').submit()"</span><span class="nt">></span>
로그아웃
<span class="nt"></a></span>
<span class="nt"></li></span>
<span class="nt"></ul></span>
<span class="nt"></nav></span>
<span class="nt"><form</span> <span class="na">id=</span><span class="s">"logout-form"</span> <span class="na">th:action=</span><span class="s">"@{/logout}"</span> <span class="na">method=</span><span class="s">"post"</span><span class="nt">></form></span>
<span class="nt"></th:block></span>
<span class="nt"></html></span>
</code></pre></div></div>
<p>이제 서버를 부팅하고 <a href="http://localhost:8080/profile">http://localhost:8080/profile</a> 로가서 user 를 검색한 후, 닉네임을 수정해보자.</p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-24/spring-security-24-1.gif" alt="이미지" /></p>
<p>잘된다..</p>
<p>하지만 누구나 알것이다 잘되면 안된다.</p>
<p>로그인도 하지않았고, user 로 로그인 하더라도, admin 닉네임은 수정해서는 안된다.</p>
<p>자, 이제 configuration 은 건드리지 않고, 메서드 별로 처리 해보자.</p>
<p>main application 에서 다음과 같은 어노테이션을 추가하자.</p>
<p><em>SecurityApplication.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@SpringBootApplication</span>
<span class="nd">@EnableGlobalMethodSecurity</span><span class="o">(</span><span class="n">prePostEnabled</span> <span class="o">=</span> <span class="kc">true</span><span class="o">)</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityApplication</span> <span class="o">{</span>
<span class="c1">// ... more..</span>
<span class="o">}</span>
</code></pre></div></div>
<p>다음으로, userController 에 /profile/update 부분에 다음과 같이 추가하자.</p>
<p><em>UserController.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserController</span> <span class="o">{</span>
<span class="c1">// ...</span>
<span class="nd">@PostMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/profile/update"</span><span class="o">)</span>
<span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">"isAuthenticated() and #entity.username == authentication.principal.username"</span><span class="o">)</span> <span class="c1">// <-- here</span>
<span class="kd">public</span> <span class="nc">String</span> <span class="nf">userProfileUpdate</span><span class="o">(</span><span class="nc">UserEntity</span> <span class="n">entity</span><span class="o">)</span> <span class="o">{</span>
<span class="nc">UserEntity</span> <span class="n">findUser</span> <span class="o">=</span> <span class="n">userRepository</span><span class="o">.</span><span class="na">findByUsername</span><span class="o">(</span><span class="n">entity</span><span class="o">.</span><span class="na">getUsername</span><span class="o">());</span>
<span class="n">findUser</span><span class="o">.</span><span class="na">setNickName</span><span class="o">(</span><span class="n">entity</span><span class="o">.</span><span class="na">getNickName</span><span class="o">());</span>
<span class="n">userRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">findUser</span><span class="o">);</span>
<span class="k">return</span> <span class="s">"redirect:/profile?username="</span> <span class="o">+</span> <span class="n">findUser</span><span class="o">.</span><span class="na">getUsername</span><span class="o">();</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>마지막으로, 접근 거부 창을 띄우기 위해 SecurityController 에 /access_denied 경로를 다음과 같이 변경하자.</p>
<p><em>SecurityController.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityController</span> <span class="o">{</span>
<span class="c1">// ... more</span>
<span class="c1">//@GetMapping(value = "/access_denied")</span>
<span class="nd">@RequestMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/access_denied"</span><span class="o">)</span> <span class="c1">// 모든 http method 를 허용했다.</span>
<span class="kd">public</span> <span class="nc">String</span> <span class="nf">access_denied_page</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="s">"access_denied"</span><span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>이제 다시 요청 해보자.</p>
<p>최종 결과
<img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-24/spring-security-annotation-final.gif" alt="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-24/spring-security-annotation-final.gif" /></p>
<p>@PostAuthorize 와 @PreAuthorize 의 차이점은,</p>
<p>메서드를 실행 한 후, 와 메서드 실행 전 의 차이이다.</p>
<p>@PreAuthorize 를 @PostAuthorize 로 변경 한 다음, 메서드 은에 콘솔을 찍어 보자.</p>@PreAuthorize 와 @PostAuthorize 에 대해서 알아보자.[SPRING] Spring Security 사용하기 #82019-05-23T00:00:00+00:002019-05-23T00:00:00+00:00https://ziponia.github.io/2019/05/23/spring-boot-jwt<h1 id="토큰-type-을-jwt-로-변경-해보자">토큰 type 을 jwt 로 변경 해보자.</h1>
<p>기존에 인증은, Resource server 가 요청을 받을 때마다, Authorization Server 에게 확인 하는 방식이다.</p>
<p>쉽게 대화형식으로 따지자면…</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>User - U
ResourceServer - R
AuthorizationServer - A
U - 토큰 발급 부탁드립니다.
A - 여기 토큰나왔습니다.
U - R 님 /api/private 에 대한 리소스를 주세요. (토큰을 건냄)
R - 기달려주세요
R - A 님 여기 토큰(유저가 건넨) 이 사용 가능 한 토큰인가요?
A - 네 사용가능합니다.
R - U 님 A 에게 확인 받았고, 여기 리소스가 있습니다. /api/private 을 건넴
</code></pre></div></div>
<p>식이다.</p>
<p>매번 요청 할때마다, 지속적으로 검시하므로, AuthorizationServer 에게 부담 일수밖에 없다.</p>
<p>jwt 토큰은 이러한 점을 좀 개선시켰다. token 자체를 인증정보로 나타냈기 때문이다.</p>
<p>이걸 대화형으로 한다면</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>User - U
ResourceServer - R
AuthorizationServer - A
U - 토큰 발급 부탁드립니다.
A - 여기 토큰나왔습니다.
U - R 님 /api/private 에 대한 리소스를 주세요. (토큰을 건냄)
R - (사전에 A와 규칙을 정한) 토큰이 맞군요! 여기 리소스가 있습니다.
</code></pre></div></div>
<p>라는 식이다.</p>
<p>조금 웃기긴 하지만, 얼추 비슷하니 재밌게 참조하자.</p>
<p>이제 실제로 코드로 구현 해보겠다.</p>
<p>먼저, AuthorizationServer Config 에 기본 토큰을 담아낼 store 를 만들자.</p>
<p><em>AuthorizationServerConfig.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span>
<span class="nd">@EnableAuthorizationServer</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizationServerConfig</span> <span class="kd">extends</span> <span class="nc">AuthorizationServerConfigurerAdapter</span> <span class="o">{</span>
<span class="c1">// ...</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">AuthorizationServerEndpointsConfigurer</span> <span class="n">endpoints</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="kd">super</span><span class="o">.</span><span class="na">configure</span><span class="o">(</span><span class="n">endpoints</span><span class="o">);</span>
<span class="n">endpoints</span><span class="o">.</span><span class="na">accessTokenConverter</span><span class="o">(</span><span class="n">jwtAccessTokenConverter</span><span class="o">());</span>
<span class="o">}</span>
<span class="nd">@Bean</span>
<span class="kd">public</span> <span class="nc">JwtAccessTokenConverter</span> <span class="nf">jwtAccessTokenConverter</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="k">new</span> <span class="nf">JwtAccessTokenConverter</span><span class="o">();</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>JwtAccessTokenConverter 가 token 을 jwt 형식으로 교환해주고, AuthorizationServerEndpointsConfigurer 에 totkenConverter 를 주입 해주었다.</p>
<p>그럼 토큰 발급시 다음과 같이 변경 되었을 것이다.</p>
<p>다음으로, AuthorizeEndpointController 의 <code class="language-plaintext highlighter-rouge">/oauth/confirm_access</code> 를 다음과 같이 바꿔주자.</p>
<p><em>AuthorizeEndpointController.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizeEndpointController</span> <span class="o">{</span>
<span class="nd">@SuppressWarnings</span><span class="o">(</span><span class="s">"unchecked"</span><span class="o">)</span>
<span class="nd">@GetMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/oauth/confirm_access"</span><span class="o">)</span>
<span class="kd">public</span> <span class="nc">String</span> <span class="nf">authorizeConfirmPage</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">Model</span> <span class="n">model</span><span class="o">)</span> <span class="o">{</span>
<span class="c1">// Map<String, Boolean> scopes = (HashMap<String, Boolean>) request.getAttribute("scopes"); remove</span>
<span class="nc">String</span><span class="o">[]</span> <span class="n">scopes</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"scope"</span><span class="o">).</span><span class="na">toString</span><span class="o">().</span><span class="na">split</span><span class="o">(</span><span class="s">" "</span><span class="o">);</span> <span class="c1">// <- here</span>
<span class="n">model</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="s">"scopes"</span><span class="o">,</span> <span class="n">scopes</span><span class="o">);</span>
<span class="k">return</span> <span class="s">"authorize_confirm"</span><span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>jwt 로 변경하면, 가지고 오는 scope 이름이 scopes 가 scope 로 바뀐다. (사실 이부분은 왜 틀린지 모르겠다..)</p>
<p>view 파일도 form 태그 쪽을 살짝 변경 해주자.</p>
<p><em>authorize_confirm.html</em></p>
<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"><!-- before... --></span>
<span class="nt"><form</span> <span class="na">action=</span><span class="s">"#"</span> <span class="na">th:action=</span><span class="s">"@{/oauth/authorize}"</span> <span class="na">th:object=</span><span class="s">"${scopes}"</span> <span class="na">th:method=</span><span class="s">"post"</span><span class="nt">></span>
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"hidden"</span> <span class="na">name=</span><span class="s">"user_oauth_approval"</span> <span class="na">value=</span><span class="s">"true"</span> <span class="nt">/></span>
<span class="nt"><h4</span>
<span class="na">th:text=</span><span class="s">"|${#request.getParameter('client_id')} 에서 회원님에 대한 아래와 같은 정보를 요청합니다|"</span>
<span class="nt">></h4></span>
<span class="nt"><div</span> <span class="na">th:each=</span><span class="s">"scope : ${scopes}"</span><span class="nt">></span>
<span class="nt"><label</span> <span class="na">th:for=</span><span class="s">"${scope}"</span> <span class="na">th:text=</span><span class="s">"${scope}"</span><span class="nt">></span>scope.read<span class="nt"></label></span>
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"checkbox"</span> <span class="na">th:id=</span><span class="s">"${scope}"</span> <span class="na">th:name=</span><span class="s">"${scope}"</span> <span class="na">th:value=</span><span class="s">"true"</span> <span class="nt">/></span>
<span class="nt"></div></span>
<span class="nt"><div></span>
<span class="nt"><button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">></span>동의하기<span class="nt"></button></span>
<span class="nt"></div></span>
<span class="nt"></form></span>
<span class="c"><!-- after... --></span>
</code></pre></div></div>
<p>이제 토큰을 받아보자. 아마 조금 더 길어진 토큰을 볼 수 있을것이다.</p>
<p>토큰을 복사해서 <a href="https://jwt.io/">https://jwt.io/</a> 에 붙혀넣으면 토큰에 대한 정보를 볼 수 있다.</p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-23/oauth-jwt-io.png" alt="이미지" /></p>
<h1 id="jwt-토큰-키-설정-하기">jwt 토큰 키 설정 하기</h1>
<p>하나 문제가 있다. 서버를 재부팅 하고, 기존 토큰을 그대로 요청을 해보자.</p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-23/oauth-jwt-retoken.gif" alt="이미지" /></p>
<p>정상적으로 요청이 안되는 것을 볼 수 있다.</p>
<p>따라서, 이 상태로 서비스를 하려면, 서버가 재부팅 될 때, 우리의 서비스를 사용 하고 있는 사람들 에게 토큰을 다시 받으라고 공지 해야한다.</p>
<p>이게 얼마나 비효율적인 일인지 알 것이다.</p>
<p>왜 이런일이 일어나는가?</p>
<p>토큰을 받게 되면, 우리가 가져 온 토큰정보는, Security context 안에 저장이 된다.</p>
<p>따라서, memory 저장 방식인 것이다.</p>
<p>이는, 서버가 재부팅 될 때, 저장 공간이 갱신 되기 떄문이다.</p>
<p>다음 코드를 추가 해 보자. <code class="language-plaintext highlighter-rouge">/oauth/token_key</code> 로 들어 가 보자.</p>
<p><em>AuthorizationServerConfig.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizationServerConfig</span> <span class="kd">extends</span> <span class="nc">AuthorizationServerConfigurerAdapter</span> <span class="o">{</span>
<span class="c1">//...</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">AuthorizationServerSecurityConfigurer</span> <span class="n">security</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="kd">super</span><span class="o">.</span><span class="na">configure</span><span class="o">(</span><span class="n">security</span><span class="o">);</span>
<span class="n">security</span>
<span class="o">.</span><span class="na">tokenKeyAccess</span><span class="o">(</span><span class="s">"isAuthenticated()"</span><span class="o">)</span> <span class="c1">// <- here</span>
<span class="o">.</span><span class="na">allowFormAuthenticationForClients</span><span class="o">();</span>
<span class="o">}</span>
<span class="c1">//...</span>
<span class="o">}</span>
</code></pre></div></div>
<p>이제 다음 URL 로 들어 가 보자.</p>
<p><a href="http://localhost:8080/oauth/token_key">http://localhost:8080/oauth/token_key</a></p>
<p>confirm 창이 나오면 client id 와 client secret 를 넣으면 된다.</p>
<p>그럼 화면상에 다음 과 비슷한 데이터가 나올 것이다.</p>
<div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HMACSHA256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Sp3P55"</span><span class="w"> </span><span class="p">}</span><span class="w">
</span></code></pre></div></div>
<p>서버를 재부팅 하고 다시 들어 가보자.</p>
<p>아마도, value 값이 변할 것이다.</p>
<div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HMACSHA256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AM1juH"</span><span class="w"> </span><span class="p">}</span><span class="w">
</span></code></pre></div></div>
<p>서버를 재부팅 하게 되면, 토큰의 알고리즘 자체가 바뀌게 되어, 기존 토큰으로는 인증이 안된다.</p>
<p>따라서, 우리는 서버가 용납(?) 할 수 있는 키를 만들어야 한다.</p>
<p>적당한 폴더에 다음과 같이 입력 해보자</p>
<blockquote>
<p>keytool 이 설치 되어있다는 가정에 따른다. java 가 설치되어있으면, 왼만하면, 동작한다.</p>
</blockquote>
<pre><code class="language-cmd">PS C:\keys> keytool -genkey -alias jwt -keyalg RSA -keystore jwtkey.jks -keysize 2048
키 저장소 비밀번호 입력:
새 비밀번호 다시 입력:
이름과 성을 입력하십시오.
[Unknown]: zef
조직 단위 이름을 입력하십시오.
[Unknown]: zef
조직 이름을 입력하십시오.
[Unknown]: zef
구/군/시 이름을 입력하십시오?
[Unknown]: Seoul
시/도 이름을 입력하십시오.
[Unknown]: Seoul
이 조직의 두 자리 국가 코드를 입력하십시오.
[Unknown]: KR
CN=zef, OU=zef, O=zef, L=Seoul, ST=Seoul, C=KR이(가) 맞습니까?
[아니오]: 예
<jwt>에 대한 키 비밀번호를 입력하십시오.
(키 저장소 비밀번호와 동일한 경우 Enter 키를 누름):
Warning:
JKS 키 저장소는 고유 형식을 사용합니다. "keytool -importkeystore -srckeystore jwtkey.jks -destkeystore jwtkey.jks -deststoretype pkcs12"를 사용하는 산업 표준 형식인 PKCS12로 이전하는 것이 좋습니다.
</code></pre>
<p>난 window 환경이라, powershell 로 실행하였다. 명령 행에 따라, 맞춰 쓰면 된다.</p>
<p>위처럼 하였다면, 폴더 안에 jwtkey.jks 라는 파일이 생성 되었을 것이다. 해당 파일을 프로젝트의 classpath (resource) 로 이동 시키자.</p>
<blockquote>
<p>이 행동은, 실제 서비스에서는 하지 않는다. key 는 보안규칙에 따라 관리 되어야 한다. (환경변수 등) 여기서는 포스트 용도로 공개한다.</p>
</blockquote>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{projectRoot}/src/main/resource/jwtkey.jks
</code></pre></div></div>
<p>이제 AuthorizationServerConfig 에 jwtAccessTokenConverter 를 다음처럼 변경 해주자.</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizationServerConfig</span> <span class="kd">extends</span> <span class="nc">AuthorizationServerConfigurerAdapter</span> <span class="o">{</span>
<span class="c1">//...</span>
<span class="nd">@Bean</span>
<span class="kd">public</span> <span class="nc">JwtAccessTokenConverter</span> <span class="nf">jwtAccessTokenConverter</span><span class="o">()</span> <span class="o">{</span>
<span class="nc">String</span> <span class="n">keyPassword</span> <span class="o">=</span> <span class="s">"123456"</span><span class="o">,</span> <span class="n">alias</span> <span class="o">=</span> <span class="s">"jwt"</span><span class="o">,</span> <span class="n">keyFile</span> <span class="o">=</span> <span class="s">"jwtkey.jks"</span><span class="o">;</span>
<span class="nc">JwtAccessTokenConverter</span> <span class="n">converter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">JwtAccessTokenConverter</span><span class="o">();</span>
<span class="nc">KeyPair</span> <span class="n">keyPair</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">KeyStoreKeyFactory</span><span class="o">(</span><span class="k">new</span> <span class="nc">ClassPathResource</span><span class="o">(</span><span class="n">keyFile</span><span class="o">),</span> <span class="n">keyPassword</span><span class="o">.</span><span class="na">toCharArray</span><span class="o">())</span>
<span class="o">.</span><span class="na">getKeyPair</span><span class="o">(</span><span class="n">alias</span><span class="o">,</span> <span class="n">keyPassword</span><span class="o">.</span><span class="na">toCharArray</span><span class="o">());</span>
<span class="n">converter</span><span class="o">.</span><span class="na">setKeyPair</span><span class="o">(</span><span class="n">keyPair</span><span class="o">);</span>
<span class="k">return</span> <span class="n">converter</span><span class="o">;</span>
<span class="o">}</span>
<span class="c1">//...</span>
<span class="o">}</span>
</code></pre></div></div>
<p>포스트 내용과 똑같이 만들었다면, 위와 같이 설정하면 되고, 아니라면, 각자 환경에 맞게 셋팅하면 된다.</p>
<blockquote>
<p>패스워드는 포스팅 용도로 123456 으로 만들었다 실제서비스에서는 당연히 이렇게 하면 안된다.</p>
</blockquote>
<p>이제 다시 <a href="http://localhost:8080/oauth/token_key">http://localhost:8080/oauth/token_key</a> 로 들어가 보자.</p>
<p>아까와 조금 다른 값들이 나올것이다.</p>
<div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w">
</span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SHA256withRSA"</span><span class="p">,</span><span class="w">
</span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-----BEGIN PUBLIC KEY-----</span><span class="se">\n</span><span class="s2">MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg14zVmL/2S8xn23iW88vC0l+4PQyWEbYYLgx5phjMbvy8ay/VWyl8SPbZf759t6uG330IWe69gJNs+UNXPnhC8MZ5OxEYzpiUd7IiHVKS+oJRvZPS+F82fS9pWXX0dHtxo1dG/K+IApvumzUFczpmpXHw81RFaZak9hu4u+IkOdYwc5EKPBbN3OHZfKmWJhUtklsncHA8Xm+59P9lokYBBwLgD34RBAASAyNBl02l/kPuWXVtYNktgOiFeARf7hsMV890MG7SSGNjDltbdP51ET0ASGEXX9xYnNBdxfwlLoQYPBVJgdfc18dEuBjPXFpvYIpGKkAuxamPq/q6sFBrQIDAQAB</span><span class="se">\n</span><span class="s2">-----END PUBLIC KEY-----"</span><span class="w">
</span><span class="p">}</span><span class="w">
</span></code></pre></div></div>
<p>이제 다시 토큰을 발급 받은 후, 서버를 재부팅하고 api 요청을 해보자.</p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-23/oauth-jwt-reboot.gif" alt="이미지" /></p>
<p>성공적으로 재부팅 후에도 토큰이 유효성을 가질 수 있게 되었다.</p>
<p>source <a href="https://github.com/ziponia/spring-security-example">https://github.com/ziponia/spring-security-example</a></p>토큰 type 을 jwt 로 변경 해보자.[SPRING] Spring Security 사용하기 #72019-05-22T00:00:00+00:002019-05-22T00:00:00+00:00https://ziponia.github.io/2019/05/22/spring-boot-oauth2-client-with-db<p><a href="https://ziponia.github.io/2019/05/20/spring-boot-oauth2-authorization-server/">지난포스팅</a> 에서는 Client 를 메모리에 생성하고, access token 을 받아, api 로 접근하는 부분까지 해보았다.</p>
<p>이렇게 클라이언트를 memory 로 관리 할 수도있지만, 사실 이렇게 하면, 새로운 client 가 추가 될 때 마다, 서버를 다시 배포 해 주어야 한다.</p>
<p>오늘은 client 와 DB 를 연결하여, 관리자가 직접 client 를 추가하고, 관리하는 부분까지 해보자.</p>
<h1 id="client-db-생성">client db 생성</h1>
<p>먼저 클라이언트 DB 를 생성 하도록 해보자.</p>
<p>이전에 WebSecurity 의 UserDetails 를 보면,</p>
<p><code class="language-plaintext highlighter-rouge">UserDetails</code> 가 Security 에 등록 될 Context 객체가 되고, <code class="language-plaintext highlighter-rouge">UserDetailsService</code> 가 <code class="language-plaintext highlighter-rouge">UserDetails</code> 를 생성하기 위한 부분을 처리 하였다.</p>
<p>client 는 <code class="language-plaintext highlighter-rouge">User</code> 를 <code class="language-plaintext highlighter-rouge">Client</code> 로 변경 해주기만 하면된다.</p>
<p>먼저 ClientDetails 를 구현 해 보자.</p>
<p>특정 user 가 다수의 client 를 가질 수 있다는 것을 염두하고 하자.</p>
<p>한마디로, user : client 는 1 : N 관계이다.</p>
<p>먼저 테이블을 만들자.</p>
<p><em>ClientEntity.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">package</span> <span class="nn">ziponia.spring.security</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">lombok.Getter</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">lombok.Setter</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.core.GrantedAuthority</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.core.authority.AuthorityUtils</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.provider.ClientDetails</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">javax.persistence.*</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">java.util.*</span><span class="o">;</span>
<span class="nd">@Entity</span>
<span class="nd">@Table</span><span class="o">(</span><span class="n">name</span> <span class="o">=</span> <span class="s">"tbl_oauth_client"</span><span class="o">)</span>
<span class="nd">@Getter</span>
<span class="nd">@Setter</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">ClientEntity</span> <span class="kd">implements</span> <span class="nc">ClientDetails</span> <span class="o">{</span>
<span class="nd">@Id</span>
<span class="nd">@GeneratedValue</span>
<span class="kd">private</span> <span class="nc">Integer</span> <span class="n">idx</span><span class="o">;</span>
<span class="nd">@ManyToOne</span>
<span class="kd">private</span> <span class="nc">UserEntity</span> <span class="n">userEntity</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">String</span> <span class="n">clientId</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">String</span> <span class="n">resourceIds</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">String</span> <span class="n">clientSecret</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">String</span> <span class="n">scope</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">String</span> <span class="n">grantTypes</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">String</span> <span class="n">redirectUri</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">String</span> <span class="n">authorities</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">Integer</span> <span class="n">accessTokenValiditySeconds</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">Integer</span> <span class="n">refreshTokenValiditySeconds</span><span class="o">;</span>
<span class="kd">private</span> <span class="nc">Boolean</span> <span class="n">autoApprove</span><span class="o">;</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">String</span> <span class="nf">getClientId</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">clientId</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">Set</span><span class="o"><</span><span class="nc">String</span><span class="o">></span> <span class="nf">getResourceIds</span><span class="o">()</span> <span class="o">{</span>
<span class="k">if</span> <span class="o">(</span><span class="n">resourceIds</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span>
<span class="nc">String</span><span class="o">[]</span> <span class="n">s</span> <span class="o">=</span> <span class="n">resourceIds</span><span class="o">.</span><span class="na">split</span><span class="o">(</span><span class="s">","</span><span class="o">);</span>
<span class="k">return</span> <span class="k">new</span> <span class="nc">HashSet</span><span class="o"><>(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="n">s</span><span class="o">));</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">isSecretRequired</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">clientSecret</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">String</span> <span class="nf">getClientSecret</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">clientSecret</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">isScoped</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">scope</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">Set</span><span class="o"><</span><span class="nc">String</span><span class="o">></span> <span class="nf">getScope</span><span class="o">()</span> <span class="o">{</span>
<span class="k">if</span> <span class="o">(</span><span class="n">scope</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span>
<span class="nc">String</span><span class="o">[]</span> <span class="n">s</span> <span class="o">=</span> <span class="n">scope</span><span class="o">.</span><span class="na">split</span><span class="o">(</span><span class="s">","</span><span class="o">);</span>
<span class="k">return</span> <span class="k">new</span> <span class="nc">HashSet</span><span class="o"><>(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="n">s</span><span class="o">));</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">Set</span><span class="o"><</span><span class="nc">String</span><span class="o">></span> <span class="nf">getAuthorizedGrantTypes</span><span class="o">()</span> <span class="o">{</span>
<span class="k">if</span> <span class="o">(</span><span class="n">grantTypes</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span>
<span class="nc">String</span><span class="o">[]</span> <span class="n">s</span> <span class="o">=</span> <span class="n">grantTypes</span><span class="o">.</span><span class="na">split</span><span class="o">(</span><span class="s">","</span><span class="o">);</span>
<span class="k">return</span> <span class="k">new</span> <span class="nc">HashSet</span><span class="o"><>(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="n">s</span><span class="o">));</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">Set</span><span class="o"><</span><span class="nc">String</span><span class="o">></span> <span class="nf">getRegisteredRedirectUri</span><span class="o">()</span> <span class="o">{</span>
<span class="k">if</span> <span class="o">(</span><span class="n">redirectUri</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span>
<span class="nc">String</span><span class="o">[]</span> <span class="n">s</span> <span class="o">=</span> <span class="n">redirectUri</span><span class="o">.</span><span class="na">split</span><span class="o">(</span><span class="s">","</span><span class="o">);</span>
<span class="k">return</span> <span class="k">new</span> <span class="nc">HashSet</span><span class="o"><>(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="n">s</span><span class="o">));</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">Collection</span><span class="o"><</span><span class="nc">GrantedAuthority</span><span class="o">></span> <span class="nf">getAuthorities</span><span class="o">()</span> <span class="o">{</span>
<span class="k">if</span> <span class="o">(</span><span class="n">authorities</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o"><>();</span>
<span class="k">return</span> <span class="nc">AuthorityUtils</span><span class="o">.</span><span class="na">createAuthorityList</span><span class="o">(</span><span class="n">authorities</span><span class="o">.</span><span class="na">split</span><span class="o">(</span><span class="s">","</span><span class="o">));</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">Integer</span> <span class="nf">getAccessTokenValiditySeconds</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">accessTokenValiditySeconds</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">Integer</span> <span class="nf">getRefreshTokenValiditySeconds</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">refreshTokenValiditySeconds</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">isAutoApprove</span><span class="o">(</span><span class="nc">String</span> <span class="n">scope</span><span class="o">)</span> <span class="o">{</span>
<span class="k">return</span> <span class="n">autoApprove</span><span class="o">;</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="nc">Map</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">></span> <span class="nf">getAdditionalInformation</span><span class="o">()</span> <span class="o">{</span>
<span class="k">return</span> <span class="kc">null</span><span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><code class="language-plaintext highlighter-rouge">ClientDetails</code> 구현체로 만들고, userEntity 와 하이버네이트 등록을 위해 <code class="language-plaintext highlighter-rouge">@Id</code> 까지 넣어주었다.</p>
<p>다음으로 client 를 DB 에서 조회 하기 위해, JPA Repository 를 만든다.</p>
<p><em>OAuth2ClientRepository.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">package</span> <span class="nn">ziponia.spring.security</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.data.jpa.repository.JpaRepository</span><span class="o">;</span>
<span class="kd">public</span> <span class="kd">interface</span> <span class="nc">OAuth2ClientRepository</span> <span class="kd">extends</span> <span class="nc">JpaRepository</span><span class="o"><</span><span class="nc">ClientEntity</span><span class="o">,</span> <span class="nc">Integer</span><span class="o">></span> <span class="o">{</span>
<span class="nc">ClientEntity</span> <span class="nf">findByClientId</span><span class="o">(</span><span class="nc">String</span> <span class="n">clientId</span><span class="o">);</span>
<span class="o">}</span>
</code></pre></div></div>
<p>이어서, ClientDetailsService 를 구현하자, UserDetailsService 와 비슷한 개념으로 생각하면 된다.</p>
<p><em>ClientDetailsServiceImpl.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">package</span> <span class="nn">ziponia.spring.security</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">lombok.extern.java.Log</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.beans.factory.annotation.Autowired</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.provider.ClientDetails</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.provider.ClientDetailsService</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.provider.ClientRegistrationException</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.provider.client.BaseClientDetails</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.transaction.annotation.Transactional</span><span class="o">;</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">ClientDetailsServiceImpl</span> <span class="kd">implements</span> <span class="nc">ClientDetailsService</span> <span class="o">{</span>
<span class="nd">@Autowired</span>
<span class="kd">private</span> <span class="nc">OAuth2ClientRepository</span> <span class="n">oAuth2ClientRepository</span><span class="o">;</span>
<span class="nd">@Override</span>
<span class="nd">@Transactional</span>
<span class="kd">public</span> <span class="nc">ClientDetails</span> <span class="nf">loadClientByClientId</span><span class="o">(</span><span class="nc">String</span> <span class="n">clientId</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">ClientRegistrationException</span> <span class="o">{</span>
<span class="nc">ClientEntity</span> <span class="n">clientEntity</span> <span class="o">=</span> <span class="n">oAuth2ClientRepository</span><span class="o">.</span><span class="na">findByClientId</span><span class="o">(</span><span class="n">clientId</span><span class="o">);</span>
<span class="k">return</span> <span class="k">new</span> <span class="nf">BaseClientDetails</span><span class="o">(</span><span class="n">clientEntity</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>마지막으로, <code class="language-plaintext highlighter-rouge">AuthorizationServerConfig</code> 에서 기존에 clients.inMemory()….. 부분을 다음처럼 변경 해주자.</p>
<p><em>AuthorizationServerConfig.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizationServerConfig</span> <span class="kd">extends</span> <span class="nc">AuthorizationServerConfigurerAdapter</span> <span class="o">{</span>
<span class="c1">// ...other</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">ClientDetailsServiceConfigurer</span> <span class="n">clients</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="cm">/*clients
.inMemory()
.withClient("client")
.secret(passwordEncoder.encode("secret"))
.authorizedGrantTypes("client_credentials", "authorization_code", "refresh_token", "password")
.authorities("CLIENT")
.scopes("read", "basic", "profile")
.redirectUris("http://localhost:4000/api/callback")
.autoApprove(false);*/</span>
<span class="n">clients</span>
<span class="o">.</span><span class="na">withClientDetails</span><span class="o">(</span><span class="n">clientDetailsService</span><span class="o">());</span>
<span class="o">}</span>
<span class="c1">// ...other</span>
<span class="o">}</span>
</code></pre></div></div>
<p>모든 설정이 끝났다.</p>
<p>이제 import.sql 에다 임의로, 레코드를 추가하여, 애플리케이션을 부팅 후 테스트 해보자.</p>
<p><em>import.sql</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">insert</span> <span class="n">into</span> <span class="nf">tbl_users</span> <span class="o">(</span><span class="n">idx</span><span class="o">,</span> <span class="n">username</span><span class="o">,</span> <span class="n">password</span><span class="o">)</span> <span class="n">values</span> <span class="o">(</span><span class="mi">1</span><span class="o">,</span> <span class="err">'</span><span class="n">user</span><span class="err">'</span><span class="o">,</span> <span class="err">'</span><span class="o">{</span><span class="n">bcrypt</span><span class="o">}</span><span class="err">$</span><span class="mi">2</span><span class="n">a</span><span class="err">$</span><span class="mi">10</span><span class="n">$Wyc</span><span class="o">.</span><span class="na">IrbO</span><span class="o">.</span><span class="na">bqraF58565Yde6J6heWdARvbDUKfaQYr9v</span><span class="o">/</span><span class="nc">IoHcQ1RlK</span><span class="err">'</span><span class="o">);</span>
<span class="n">insert</span> <span class="n">into</span> <span class="nf">tbl_users</span> <span class="o">(</span><span class="n">idx</span><span class="o">,</span> <span class="n">username</span><span class="o">,</span> <span class="n">password</span><span class="o">)</span> <span class="n">values</span> <span class="o">(</span><span class="mi">2</span><span class="o">,</span> <span class="err">'</span><span class="n">admin</span><span class="err">'</span><span class="o">,</span> <span class="err">'</span><span class="o">{</span><span class="n">bcrypt</span><span class="o">}</span><span class="err">$</span><span class="mi">2</span><span class="n">a</span><span class="err">$</span><span class="mi">10</span><span class="n">$Wyc</span><span class="o">.</span><span class="na">IrbO</span><span class="o">.</span><span class="na">bqraF58565Yde6J6heWdARvbDUKfaQYr9v</span><span class="o">/</span><span class="nc">IoHcQ1RlK</span><span class="err">'</span><span class="o">);</span>
<span class="n">insert</span> <span class="n">into</span> <span class="nf">tbl_oauth_client</span> <span class="o">(</span><span class="n">idx</span><span class="o">,</span> <span class="n">authorities</span><span class="o">,</span> <span class="n">auto_approve</span><span class="o">,</span> <span class="n">client_id</span><span class="o">,</span> <span class="n">client_secret</span><span class="o">,</span> <span class="n">grant_types</span><span class="o">,</span> <span class="n">redirect_uri</span><span class="o">,</span> <span class="n">scope</span><span class="o">,</span> <span class="n">user_entity_idx</span><span class="o">)</span> <span class="n">values</span> <span class="o">(</span><span class="mi">1</span><span class="o">,</span> <span class="err">'</span><span class="no">CLIENT</span><span class="err">'</span><span class="o">,</span> <span class="kc">false</span><span class="o">,</span> <span class="err">'</span><span class="n">client</span><span class="err">'</span><span class="o">,</span> <span class="err">'</span><span class="o">{</span><span class="n">bcrypt</span><span class="o">}</span><span class="err">$</span><span class="mi">2</span><span class="n">a</span><span class="err">$</span><span class="mi">10</span><span class="n">$cxEU57mmmEm9FfhAJBMW7ec9oG4Y5Uq4Os8CfpxoL6TLzxPCCqzXK</span><span class="err">'</span><span class="o">,</span> <span class="err">'</span><span class="n">client_credentials</span><span class="o">,</span><span class="n">authorization_code</span><span class="o">,</span><span class="n">refresh_token</span><span class="o">,</span><span class="n">password</span><span class="err">'</span><span class="o">,</span> <span class="err">'</span><span class="nl">http:</span><span class="c1">//localhost:4000/api/callback', 'read,basic,profile', 1);</span>
</code></pre></div></div>
<p>정상적으로 토큰을 받아오는것을 볼 수 있다.</p>
<p>화면은 이전 포스팅 한 것과 동일하니, 참조하자.</p>지난포스팅 에서는 Client 를 메모리에 생성하고, access token 을 받아, api 로 접근하는 부분까지 해보았다.[SPRING] Spring Security 사용하기 #62019-05-20T00:00:00+00:002019-05-20T00:00:00+00:00https://ziponia.github.io/2019/05/20/spring-boot-oauth2-authorization-server<h1 id="최종-목표">최종 목표</h1>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-20/oauth-7.gif" alt="이미지" /></p>
<p>지난번포스팅까지 잘 따라왔다면, 사실 조금 더 서비스에 맞는부분을 커스터마이징 해서 사용하는데 문제가 없다.</p>
<p>근데 이런경우라면 생각해보자.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>N 사가 우리의 리소스를 사용하기 위해 회사랑 계약을 하였다.
우리는 내부 소스코드는 노출 하지 않은채, N 사에게 인터페이스만 제공 하여야 한다.
우리는 N 사에게만, 리소스를 제공 하여야 하며, 외부로 오픈되면 안된다.
사용자가 N 사를 통해서 접속 할 때, 우리가 N 사에게 허용 한 리소스만 N 사는 사용자에게 정보를 제공 할 수 있다.
</code></pre></div></div>
<p>사실 이것을 구현 하는일은, 쉽지 않다.</p>
<p>그래서, 머리 좋은 어떤 사람들이 <a href="https://oauth.net/2/">oauth2</a> 라는 인증 워크 플로우를 만들어 냈고, 이 기술은 표준으로 등록 되어 질 만큼 핫(?) 하다.</p>
<p>이 플로우를 설계 하는데 앞서, 우리는 일단 용어들을 대충이라도 알고 있어야 한다.</p>
<p>이전 포스팅 까지 진행했던 <a href="https://ziponia.github.io/2019/05/16/spring-security-with-boot-oauth2/">소셜 로그인 서비스</a> 의 facebook 로그인을 살펴보자.</p>
<p>우리는 facebook 측으로 부터 client id 와 client secret 을 발급 받은적이 있다.</p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-20/facebook_oauth_client_id_secret.png" alt="페이스북 개발자센터" /></p>
<p>이것은 우리가 페이스북 서버에 접속하여, 페이스북 안에 들어있는 사용자 와 관련된 정보를 가져 올 때 사용 하는</p>
<p>일종에 아이디와 패스워드이다.</p>
<p>그리고, facebook 에서 우리 에게 주는 facebook 사용자의 정보들 이메일, 유저 프로필 사진, 아이디 등을 <code class="language-plaintext highlighter-rouge">scope</code> 라고 한다.</p>
<p>facebook 에서 발급 한, client id 와 client secret 을 가지고 페이스북에 사용자 정보 요청을 대행(?) 해 주는</p>
<p>우리를 <code class="language-plaintext highlighter-rouge">클라이언트</code> 라고 한다.</p>
<p>페이스북에서 우리에게 리소스 서버에 접근 권한을 주고, <code class="language-plaintext highlighter-rouge">access_token</code> 이라는 입장권한(?) 을 주는 서버를</p>
<p><code class="language-plaintext highlighter-rouge">Authorization server (권한 서버)</code> 라고 한다.</p>
<p>실제 페이스북 안의 사용자의 리소스를 우리에게 제공해 주는 API 서버를 <code class="language-plaintext highlighter-rouge">Resource Server (리소스 서버)</code> 라고 한다.</p>
<p>우리를 통해 facebook 안에 리소스를 요청하고, 리소스의 주인이 되는 User 를 <code class="language-plaintext highlighter-rouge">Resource Owner (리소스 주인)</code> 라고 한다.</p>
<p>우리가 Resource Server 에 사용자 정보를 요청하고, 제공 받을 수 있도록 Authorization Server 가 부여 한 입장권을 <code class="language-plaintext highlighter-rouge">access token</code> 이라고 한다.</p>
<p>access token 이 유통기한(?) 이 지나, 사용 할 수 없도록 되어 진 것을 <code class="language-plaintext highlighter-rouge">access token expired (토큰 만료)</code> 라고 한다.</p>
<p>access token 을 재발급 할 수 있도록 임시로 유통기한이 긴 토큰을 <code class="language-plaintext highlighter-rouge">refresh token</code> 이라고 한다.</p>
<p>…</p>
<p>oauth2 에 workflow 에 대한 이미지는 구글에 <code class="language-plaintext highlighter-rouge">oauth2 workflow</code> 라고만 검색해도, 엄청난 정보들이 쏟아지니 참고하자.</p>
<p>이제 지루한 이론은 뒤로하고, security 로 구현 방법을 보자.</p>
<h1 id="시큐리티-관리-분리">시큐리티 관리 분리</h1>
<p>사전에 해야 할 일은, security 가 관여 해야 할 url 을 분리하는것이다.</p>
<p>RootSecurityConfig class 를 만들자</p>
<p><em>RootSecurityConfig.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">package</span> <span class="nn">ziponia.spring.security</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.EnableWebSecurity</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer</span><span class="o">;</span>
<span class="nd">@Configuration</span>
<span class="nd">@EnableOAuth2Client</span>
<span class="nd">@EnableWebSecurity</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">RootSecurityConfig</span> <span class="o">{</span>
<span class="nd">@Configuration</span>
<span class="kd">public</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">FormSecurityConfigAdapter</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfig</span> <span class="o">{}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>기존에 WebSecurityConfig 에서 사용하던 어노테이션들을 옮기고 static class를 만들어 기존에 WebSecurityConfig 를 상속 받도록 하였다.</p>
<p>다음으로 WebSecurityConfig 가 관여 해야 할 path 를 지정하자.</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfig</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span>
<span class="nd">@Override</span>
<span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="n">http</span>
<span class="o">.</span><span class="na">requestMatchers</span><span class="o">()</span>
<span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="s">"/login/**"</span><span class="o">,</span> <span class="s">"/logout/**"</span><span class="o">,</span> <span class="s">"/private/**"</span><span class="o">,</span> <span class="s">"/admin/**"</span><span class="o">,</span> <span class="s">"/"</span><span class="o">)</span>
<span class="o">.</span><span class="na">and</span><span class="o">()</span>
<span class="c1">// ... other settings....</span>
<span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>class 에 어노테이션들을 제거하고, http 바로 아래, requestMatchers 를 추가하였자.</p>
<p><code class="language-plaintext highlighter-rouge">"/login/**", "/logout/**", "/private/**", "/admin/**", "/"</code> 패턴의 URL 들만 기존 시큐리티가 관리하도록 설정하였다.</p>
<blockquote>
<p>반드시, 다른 설정보다 위에 있어야 한다. 그렇지 않으면, 기본으로 시큐리티가 모든 path 를 관리한다.</p>
</blockquote>
<blockquote>
<p>지정하지 않아도 문제가 된다. 한번 <code class="language-plaintext highlighter-rouge">/ 경로</code> 를 제외 하고 <code class="language-plaintext highlighter-rouge">/</code> 경로에서 로그 아웃을 해보라!</p>
</blockquote>
<h1 id="resource-server-config-생성">Resource Server Config 생성</h1>
<p>이제 API 를 요청 할 수 있는 Resource Server 를 생성하자</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">package</span> <span class="nn">ziponia.spring.security</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer</span><span class="o">;</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">ResourceServerConfig</span> <span class="kd">extends</span> <span class="nc">ResourceServerConfigurerAdapter</span> <span class="o">{</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">ResourceServerSecurityConfigurer</span> <span class="n">resources</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="kd">super</span><span class="o">.</span><span class="na">configure</span><span class="o">(</span><span class="n">resources</span><span class="o">);</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="n">http</span>
<span class="o">.</span><span class="na">antMatcher</span><span class="o">(</span><span class="s">"/api/**"</span><span class="o">)</span> <span class="c1">// /api/** 경로 관리</span>
<span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span>
<span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/api/**"</span><span class="o">).</span><span class="na">hasAuthority</span><span class="o">(</span><span class="s">"CLIENT"</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>일단 단순 한 형태의 시큐리티 패턴만 주었다.</p>
<p>이제 RootSecurityConfig 에 아래 항목을 추가하자.</p>
<p><em>RootSecurityConfig</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span>
<span class="nd">@EnableOAuth2Client</span>
<span class="nd">@EnableWebSecurity</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">RootSecurityConfig</span> <span class="o">{</span>
<span class="nd">@Configuration</span>
<span class="kd">public</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">FormSecurityConfigAdapter</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfig</span> <span class="o">{}</span>
<span class="nd">@Configuration</span>
<span class="nd">@EnableResourceServer</span>
<span class="kd">public</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">ApiSecurityConfigAdapter</span> <span class="kd">extends</span> <span class="nc">ResourceServerConfig</span> <span class="o">{}</span>
<span class="o">}</span>
</code></pre></div></div>
<h1 id="권한-서버토큰발급-서버-생성">권한 서버(토큰발급 서버) 생성</h1>
<p>이제 권한 서버를 생성하자</p>
<p><em>AuthorizationServerConfig.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">package</span> <span class="nn">ziponia.spring.security</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.beans.factory.annotation.Autowired</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.context.annotation.Configuration</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.crypto.password.PasswordEncoder</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer</span><span class="o">;</span>
<span class="nd">@Configuration</span>
<span class="nd">@EnableAuthorizationServer</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizationServerConfig</span> <span class="kd">extends</span> <span class="nc">AuthorizationServerConfigurerAdapter</span> <span class="o">{</span>
<span class="nd">@Autowired</span>
<span class="kd">private</span> <span class="nc">PasswordEncoder</span> <span class="n">passwordEncoder</span><span class="o">;</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">AuthorizationServerSecurityConfigurer</span> <span class="n">security</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="c1">// 기본 AuthorizationServer Security 설정은 유지 한채,</span>
<span class="c1">// client 의 인증정보를 Header 가 아닌, form 으로 받을 수 있도록 한다.</span>
<span class="kd">super</span><span class="o">.</span><span class="na">configure</span><span class="o">(</span><span class="n">security</span><span class="o">);</span>
<span class="n">security</span>
<span class="o">.</span><span class="na">allowFormAuthenticationForClients</span><span class="o">();</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">ClientDetailsServiceConfigurer</span> <span class="n">clients</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="n">clients</span>
<span class="o">.</span><span class="na">inMemory</span><span class="o">()</span>
<span class="o">.</span><span class="na">withClient</span><span class="o">(</span><span class="s">"client"</span><span class="o">)</span>
<span class="o">.</span><span class="na">secret</span><span class="o">(</span><span class="n">passwordEncoder</span><span class="o">.</span><span class="na">encode</span><span class="o">(</span><span class="s">"secret"</span><span class="o">))</span>
<span class="o">.</span><span class="na">authorizedGrantTypes</span><span class="o">(</span><span class="s">"client_credentials"</span><span class="o">,</span> <span class="s">"authorization_code"</span><span class="o">,</span> <span class="s">"refresh_token"</span><span class="o">,</span> <span class="s">"password"</span><span class="o">)</span>
<span class="o">.</span><span class="na">authorities</span><span class="o">(</span><span class="s">"CLIENT"</span><span class="o">)</span>
<span class="o">.</span><span class="na">scopes</span><span class="o">(</span><span class="s">"read"</span><span class="o">)</span>
<span class="o">.</span><span class="na">redirectUris</span><span class="o">(</span><span class="s">"http://localhost:4000/api/callback"</span><span class="o">)</span>
<span class="o">.</span><span class="na">autoApprove</span><span class="o">(</span><span class="kc">false</span><span class="o">);</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">AuthorizationServerEndpointsConfigurer</span> <span class="n">endpoints</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="kd">super</span><span class="o">.</span><span class="na">configure</span><span class="o">(</span><span class="n">endpoints</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>모든 설정이 완료되었다.</p>
<p>이제 postman 에서 테스트를 진행 해 보자.</p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-20/oauth-2.gif" alt="이미지" /></p>
<p>정상적으로 소셜 로그인도 되고, 토큰방식의 로그인도 되는것을 볼 수 있다.</p>
<h1 id="token-제공-용도의-login-page-생성하기">token 제공 용도의 login page 생성하기</h1>
<p>먼저 기존에 일반적인 로그인 폼이 아닌, 외부에서 제공 할 login form 을 만들자.</p>
<p><em>oauth_login.html</em></p>
<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp"><!DOCTYPE html></span>
<span class="nt"><html</span> <span class="na">lang=</span><span class="s">"en"</span> <span class="na">xmlns:th=</span><span class="s">"http://www.thymeleaf.org"</span><span class="nt">></span>
<span class="nt"><head></span>
<span class="nt"><meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span> <span class="nt">/></span>
<span class="nt"><meta</span>
<span class="na">name=</span><span class="s">"viewport"</span>
<span class="na">content=</span><span class="s">"width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0"</span>
<span class="nt">/></span>
<span class="nt"><meta</span> <span class="na">http-equiv=</span><span class="s">"X-UA-Compatible"</span> <span class="na">content=</span><span class="s">"ie=edge"</span> <span class="nt">/></span>
<span class="nt"><link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">th:href=</span><span class="s">"@{/css/main.css}"</span> <span class="nt">/></span>
<span class="nt"><title></span>Document<span class="nt"></title></span>
<span class="nt"></head></span>
<span class="nt"><body></span>
<span class="nt"><fieldset></span>
<span class="nt"><legend></span>제프의 로그인 시스템<span class="nt"></legend></span>
<span class="nt"><form</span> <span class="na">th:action=</span><span class="s">"@{/api/login}"</span> <span class="na">th:method=</span><span class="s">"post"</span><span class="nt">></span>
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"username"</span> <span class="na">placeholder=</span><span class="s">"아이디를 입력 해 주세요."</span> <span class="nt">/></span>
<span class="nt"><br</span> <span class="nt">/></span>
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"password"</span> <span class="na">name=</span><span class="s">"password"</span> <span class="na">placeholder=</span><span class="s">"비밀번호를 입력 해 주세요."</span> <span class="nt">/></span>
<span class="nt"><br</span> <span class="nt">/></span>
<span class="nt"><button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">></span>로그인<span class="nt"></button></span>
<span class="nt"></form></span>
<span class="nt"></fieldset></span>
<span class="nt"></body></span>
<span class="nt"></html></span>
</code></pre></div></div>
<p>기존 폼에서, 문구만 제프의 로그인 이라는 문구로 변경하고 action 을 <code class="language-plaintext highlighter-rouge">/oauth/login</code> 으로 변경 하였다.</p>
<p>다음으로, AuthorizationServerSecurityConfig class 를 만들자.</p>
<p><em>AuthorizationServerSecurityConfig.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">package</span> <span class="nn">ziponia.spring.security</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.beans.factory.annotation.Autowired</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.builders.HttpSecurity</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.security.core.userdetails.UserDetailsService</span><span class="o">;</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizationServerSecurityConfig</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span>
<span class="nd">@Autowired</span>
<span class="kd">private</span> <span class="nc">UserDetailsService</span> <span class="n">userDetailsService</span><span class="o">;</span>
<span class="nd">@Override</span>
<span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">AuthenticationManagerBuilder</span> <span class="n">auth</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="n">auth</span><span class="o">.</span><span class="na">userDetailsService</span><span class="o">(</span><span class="n">userDetailsService</span><span class="o">);</span>
<span class="o">}</span>
<span class="nd">@Override</span>
<span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="n">http</span>
<span class="o">.</span><span class="na">requestMatchers</span><span class="o">()</span>
<span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="s">"/oauth/authorize/**"</span><span class="o">,</span> <span class="s">"/api/login"</span><span class="o">)</span>
<span class="o">.</span><span class="na">and</span><span class="o">()</span>
<span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span>
<span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/oauth/authorize/**"</span><span class="o">).</span><span class="na">authenticated</span><span class="o">()</span>
<span class="o">.</span><span class="na">and</span><span class="o">()</span>
<span class="o">.</span><span class="na">formLogin</span><span class="o">()</span>
<span class="o">.</span><span class="na">loginPage</span><span class="o">(</span><span class="s">"/api/login"</span><span class="o">);</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>이 클래스의 역할은, <code class="language-plaintext highlighter-rouge">grant type : authorization_code</code> 로 요청하면, <code class="language-plaintext highlighter-rouge">"User must be authenticated with Spring Security before authorization can be completed."</code></p>
<p>에러가 뜨게 되는데, 기본적으로 시큐리티 컨텍스트로 인증이 된 후 요청하라는 의미 인 것 같다.</p>
<p>그것을 방지 하기 위한 역할이다. <code class="language-plaintext highlighter-rouge">/oauth/authorize/</code> 경로로 들어오면 로그인이 되어있지 않은경우, <code class="language-plaintext highlighter-rouge">/api/login</code> 으로 리다이렉트 시킨다.</p>
<p>로그인 방식은, 기존에 구현 해 둔, <code class="language-plaintext highlighter-rouge">UserDetailsService</code> 를 주입 해준다.</p>
<p>이제 RootSecurityConfig 에서, AuthorizationServerSecurityConfig 를 등록하자.</p>
<p><em>RootSecurityConfig.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span>
<span class="nd">@EnableOAuth2Client</span>
<span class="nd">@EnableWebSecurity</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">RootSecurityConfig</span> <span class="o">{</span>
<span class="nd">@Configuration</span>
<span class="kd">public</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">FormSecurityConfigAdapter</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfig</span> <span class="o">{}</span>
<span class="nd">@Order</span><span class="o">(</span><span class="mi">2</span><span class="o">)</span>
<span class="nd">@Configuration</span>
<span class="kd">public</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">AuthorizationSecurityConfigAdapter</span> <span class="kd">extends</span> <span class="nc">AuthorizationServerSecurityConfig</span> <span class="o">{}</span>
<span class="nd">@Configuration</span>
<span class="nd">@EnableResourceServer</span>
<span class="kd">public</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">ApiSecurityConfigAdapter</span> <span class="kd">extends</span> <span class="nc">ResourceServerConfig</span> <span class="o">{}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>이제 아래 URL로 접속 해서, 로그인 해보자.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://localhost:8080/oauth/authorize
?client_id=client
&redirect_uri=http://localhost:4000/api/callback
&response_type=code
</code></pre></div></div>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-20/oauth-4.gif" alt="이미지" /></p>
<h1 id="grant_type-code">grant_type code</h1>
<p>code 방식의 로그인을 살펴 보자.</p>
<p>우리가 카카오 로그인을 하게 되면, 아마 이런 페이지가 처음에 떳을 것이다.</p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-20/oauth-3.png" alt="이미지" /></p>
<p>조금씩 내용이 다를 수도있지만, 전체적으로 크게 다르지 않다.</p>
<p>이제 저런 화면을 만들어 볼 것이다.</p>
<blockquote>
<p>이미 인증을 해서 로그인시에 위에 이미지가 안보인다면, 자신의 카카오톡의 설정 > 카카오계정 > 연결된 서비스 관리 > [그 외 카카오계정으로 로그인] 항목에 자신의 만든 앱 아이콘이 나올 것이다. 클릭 후 모든 정보 삭제 후 다시 로그인 하면된다.</p>
</blockquote>
<p>다시 돌아가서, 브라우저에서 카카오 로그인을 누른 후 URL 을 보면 아래와 비슷한 URL 이 나올것이다.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://kauth.kakao.com/oauth/authorize?client_id={CLIENT_ID}&redirect_uri=http://localhost:8080/login/kakao&response_type=code&state=5xDqcR
</code></pre></div></div>
<p>위에서 우리가 요청했던 URL 과 동일하게 생긴것을 볼 수 있다.</p>
<p>인가 페이지를 좀 더 꾸며보자.</p>
<p>인가 페이지를 변경하는 방법은, 그냥 Endpoint 를 오버라이딩 하면 된다고 한다.</p>
<p><a href="https://stackoverflow.com/a/29435900">스택 오버플로우 Dave Syer 아저씨의 답변</a></p>
<p>AuthorizeEndpointController class 를 아래처럼 만들어 주자.</p>
<p><em>AuthorizeEndpointController.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">package</span> <span class="nn">ziponia.spring.security</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.stereotype.Controller</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.ui.Model</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.GetMapping</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">org.springframework.web.bind.annotation.SessionAttributes</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">javax.servlet.http.HttpServletRequest</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">java.util.HashMap</span><span class="o">;</span>
<span class="kn">import</span> <span class="nn">java.util.Map</span><span class="o">;</span>
<span class="nd">@Controller</span>
<span class="nd">@SessionAttributes</span><span class="o">(</span><span class="s">"authorizationRequest"</span><span class="o">)</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthorizeEndpointController</span> <span class="o">{</span>
<span class="nd">@SuppressWarnings</span><span class="o">(</span><span class="s">"unchecked"</span><span class="o">)</span>
<span class="nd">@GetMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/oauth/confirm_access"</span><span class="o">)</span>
<span class="kd">public</span> <span class="nc">String</span> <span class="nf">authorizeConfirmPage</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">Model</span> <span class="n">model</span><span class="o">)</span> <span class="o">{</span>
<span class="nc">Map</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Boolean</span><span class="o">></span> <span class="n">scopes</span> <span class="o">=</span> <span class="o">(</span><span class="nc">HashMap</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Boolean</span><span class="o">>)</span> <span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"scopes"</span><span class="o">);</span>
<span class="n">model</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="s">"scopes"</span><span class="o">,</span> <span class="n">scopes</span><span class="o">);</span>
<span class="k">return</span> <span class="s">"authorize_confirm"</span><span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p>위 처럼 하면 scope 를 가져 올 수 있다.</p>
<p>이제 html 만 랜더링 해 주면 끝이다.</p>
<p><em>authorize_confirm.html</em></p>
<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp"><!DOCTYPE html></span>
<span class="nt"><html</span> <span class="na">lang=</span><span class="s">"ko"</span> <span class="na">xmlns:th=</span><span class="s">"http://www.thymeleaf.org"</span><span class="nt">></span>
<span class="nt"><head></span>
<span class="nt"><meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span> <span class="nt">/></span>
<span class="nt"><meta</span>
<span class="na">name=</span><span class="s">"viewport"</span>
<span class="na">content=</span><span class="s">"width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0"</span>
<span class="nt">/></span>
<span class="nt"><meta</span> <span class="na">http-equiv=</span><span class="s">"X-UA-Compatible"</span> <span class="na">content=</span><span class="s">"ie=edge"</span> <span class="nt">/></span>
<span class="nt"><title></span>Document<span class="nt"></title></span>
<span class="nt"><style></span>
<span class="o">*</span> <span class="p">{</span>
<span class="nl">box-sizing</span><span class="p">:</span> <span class="n">border-box</span><span class="p">;</span>
<span class="p">}</span>
<span class="nt">html</span><span class="o">,</span>
<span class="nt">body</span> <span class="p">{</span>
<span class="nl">margin</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span>
<span class="nl">padding</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="nc">.wrap</span> <span class="p">{</span>
<span class="nl">width</span><span class="p">:</span> <span class="m">100vw</span><span class="p">;</span>
<span class="nl">height</span><span class="p">:</span> <span class="m">100vh</span><span class="p">;</span>
<span class="nl">background-color</span><span class="p">:</span> <span class="m">#eeeeee</span><span class="p">;</span>
<span class="nl">display</span><span class="p">:</span> <span class="n">flex</span><span class="p">;</span>
<span class="nl">flex-direction</span><span class="p">:</span> <span class="n">column</span><span class="p">;</span>
<span class="nl">justify-content</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span>
<span class="nl">align-items</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span>
<span class="p">}</span>
<span class="nt">form</span> <span class="p">{</span>
<span class="nl">display</span><span class="p">:</span> <span class="nb">block</span><span class="p">;</span>
<span class="nl">width</span><span class="p">:</span> <span class="m">600px</span><span class="p">;</span>
<span class="nl">background-color</span><span class="p">:</span> <span class="m">#ffffff</span><span class="p">;</span>
<span class="nl">border</span><span class="p">:</span> <span class="m">1px</span> <span class="nb">solid</span> <span class="m">#dddddd</span><span class="p">;</span>
<span class="nl">padding</span><span class="p">:</span> <span class="m">20px</span><span class="p">;</span>
<span class="p">}</span>
<span class="nt"></style></span>
<span class="nt"></head></span>
<span class="nt"><body></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"wrap"</span><span class="nt">></span>
<span class="nt"><h1></span>제프의 인증시스템<span class="nt"></h1></span>
<span class="nt"><form</span> <span class="na">action=</span><span class="s">"#"</span> <span class="na">th:action=</span><span class="s">"@{/oauth/authorize}"</span> <span class="na">th:object=</span><span class="s">"${scopes}"</span> <span class="na">th:method=</span><span class="s">"post"</span><span class="nt">></span>
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"hidden"</span> <span class="na">name=</span><span class="s">"user_oauth_approval"</span> <span class="na">value=</span><span class="s">"true"</span> <span class="nt">/></span>
<span class="nt"><h4</span>
<span class="na">th:text=</span><span class="s">"|${#request.getParameter('client_id')} 에서 회원님에 대한 아래와 같은 정보를 요청합니다|"</span>
<span class="nt">></h4></span>
<span class="nt"><div</span> <span class="na">th:each=</span><span class="s">"scope : ${scopes.keySet()}"</span><span class="nt">></span>
<span class="nt"><label</span> <span class="na">th:for=</span><span class="s">"${scope}"</span> <span class="na">th:text=</span><span class="s">"${scope}"</span><span class="nt">></span>scope.read<span class="nt"></label></span>
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"checkbox"</span> <span class="na">th:id=</span><span class="s">"${scope}"</span> <span class="na">th:name=</span><span class="s">"${scope}"</span> <span class="na">th:value=</span><span class="s">"true"</span> <span class="nt">/></span>
<span class="nt"></div></span>
<span class="nt"><div></span>
<span class="nt"><button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">></span>동의하기<span class="nt"></button></span>
<span class="nt"></div></span>
<span class="nt"></form></span>
<span class="nt"></div></span>
<span class="nt"></body></span>
<span class="nt"></html></span>
</code></pre></div></div>
<p>이제 url 요청을 하고, 최종결과, parameter 로 code 가 들어온다면, 성공이다.</p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-20/oauth-5.gif" alt="이미지" /></p>
<p>이제 받아 온 코드로 토큰 발급 요청을 해 보자.</p>
<div class="language-http highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="err">POST http://localhost:8080/oauth/token
[Header]
Content-Type: application/x-www-form-urlencoded
[Params]
grant_type=authorization_code
&client_id=clinet
&clinet_secret=secret
&redirect_uri=http://localhost:4000/api/callback
&code={코드 받기에서 발급받은 code 값}
</span></code></pre></div></div>
<p>사실 <a href="https://developers.kakao.com/docs/restapi/user-management#%EB%A1%9C%EA%B7%B8%EC%9D%B8">카카오 로그인 하기</a></p>
<p>에서 나오는 인증 flow 와 완전히 동일하다. (같은 oauth2 인증 플로우를 사용하니…)</p>
<p>이제 넘어 온 코드로 토큰을 받아보자.</p>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-20/oauth-6.gif" alt="이미지" /></p>
<p>이제 ResourceServerConfig 에 /api/private 경로를 추가하고, 컨트롤러를 만들어 테스트 해보자.</p>
<p><em>ResourceServerConfig.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">ResourceServerConfig</span> <span class="kd">extends</span> <span class="nc">ResourceServerConfigurerAdapter</span> <span class="o">{</span>
<span class="nd">@Override</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span>
<span class="n">http</span>
<span class="o">.</span><span class="na">requestMatchers</span><span class="o">()</span>
<span class="o">.</span><span class="na">mvcMatchers</span><span class="o">(</span><span class="s">"/api/**"</span><span class="o">)</span>
<span class="o">.</span><span class="na">and</span><span class="o">()</span>
<span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span>
<span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/api/login"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span>
<span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/api/private"</span><span class="o">).</span><span class="na">hasAnyRole</span><span class="o">(</span><span class="s">"USER"</span><span class="o">)</span> <span class="c1">// here</span>
<span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/api/**"</span><span class="o">).</span><span class="na">hasAuthority</span><span class="o">(</span><span class="s">"CLIENT"</span><span class="o">)</span>
<span class="o">.</span><span class="na">and</span><span class="o">()</span>
<span class="o">.</span><span class="na">formLogin</span><span class="o">()</span>
<span class="o">.</span><span class="na">loginPage</span><span class="o">(</span><span class="s">"/api/login"</span><span class="o">)</span>
<span class="o">.</span><span class="na">and</span><span class="o">()</span>
<span class="o">;</span>
<span class="o">}</span>
<span class="o">}</span>
</code></pre></div></div>
<p><em>ApiController.java</em></p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@RestController</span>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">ApiController</span> <span class="o">{</span>
<span class="c1">// ...</span>
<span class="nd">@GetMapping</span><span class="o">(</span><span class="n">value</span> <span class="o">=</span> <span class="s">"/api/private"</span><span class="o">)</span>
<span class="kd">public</span> <span class="nc">Map</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">></span> <span class="nf">privateApi</span><span class="o">()</span> <span class="o">{</span>
<span class="nc">Map</span><span class="o"><</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">></span> <span class="n">model</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o"><>();</span>
<span class="n">model</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"name"</span><span class="o">,</span> <span class="s">"jihoon"</span><span class="o">);</span>
<span class="n">model</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"nick"</span><span class="o">,</span> <span class="s">"zef"</span><span class="o">);</span>
<span class="k">return</span> <span class="n">model</span><span class="o">;</span>
<span class="o">}</span>
<span class="c1">// ...</span>
</code></pre></div></div>
<p><img src="https://s3.ap-northeast-2.amazonaws.com/ziponia.github.io/2019-5-20/oauth-7.gif" alt="이미지" /></p>
<p>꽤 멋진(?) 인증 시스템이 완료 되었다. 이제 외부로 client id 와 client secret 를 제공하여,</p>
<p>리소스에 접근 권한을 줄 수 있다.</p>최종 목표[RN] React Native Build2019-05-20T00:00:00+00:002019-05-20T00:00:00+00:00https://ziponia.github.io/2019/05/20/react-native-build<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ yarn install
$ react-native run-android
</code></pre></div></div>
<h2 id="debugging-app-export">debugging app export</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ react-native bundle --platform android --dev false --entry-file index.js --bundle-output android/app/src/main/assets/index.android.bundle --assets-dest android/app/src/main/res
$ cd android
</code></pre></div></div>
<p><em>window</em></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ gradlew.bat assembleDebug
</code></pre></div></div>
<p><em>Mac OS</em></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ gradlew assembleDebug
</code></pre></div></div>
<h1 id="production">production</h1>
<ul>
<li>참고 http://wagunblog.com/wp/?p=2371</li>
</ul>
<h2 id="create-signkey">create signkey</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ cd android/app
$ keytool -genkey -v -keystore kr.wise7034.RealTimeEmergencyDepartmentInfo.keystore -alias kr.wise7034.RealTimeEmergencyDepartmentInfo.remote -keyalg RSA -keysize 2048 -validity 10000 -storepass {YOUR_PASSWORD}
</code></pre></div></div>
<h2 id="set-android-properties">set android properties</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ cd android
// open gradle.properties
// add code
MYAPP_RELEASE_STORE_FILE=kr.wise7034.RealTimeEmergencyDepartmentInfo.keystore
MYAPP_RELEASE_KEY_ALIAS=kr.wise7034.RealTimeEmergencyDepartmentInfo.remote
MYAPP_RELEASE_STORE_PASSWORD={keystore password}
MYAPP_RELEASE_KEY_PASSWORD={keystore password}
// open app/build.gradle
android {
defaultConfig { ... }
signingConfigs {
release {
storeFile file(MYAPP_RELEASE_STORE_FILE)
storePassword MYAPP_RELEASE_STORE_PASSWORD
keyAlias MYAPP_RELEASE_KEY_ALIAS
keyPassword MYAPP_RELEASE_KEY_PASSWORD
}
}
buildTypes {
release {
...
signingConfig signingConfigs.release
}
}
}
</code></pre></div></div>
<h2 id="build">build</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ react-native bundle --platform android --dev false --entry-file index.js --bundle-output android/app/src/main/assets/index.android.bundle
$ cd android
$ ./gradlew app:assembleRelease --stacktrace (or window ./gradlew -> gradlew.bat)
</code></pre></div></div>
<h2 id="build-test">build test</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ react-native run-android --variant=release
</code></pre></div></div>
<h2 id="bug-report">bug report</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[drawable-hdpi-v4/node_modules_reactnavigationstack_src_views_assets_backicon] C:\workspace\image-vision-rn\android\app\src\main\res\drawable-hdpi\node_modules_reactnavigationstack_src_views_assets_backicon.png [drawable-hdpi-v4/node_modules_reactnavigationstack_src_views_assets_backicon] C:\workspace\image-vision-rn\android\app\build\generated\res\react\release\drawable-hdpi\node_modules_reactnavigationstack_src_views_assets_backicon.png: Error: Duplicate resources
[drawable-mdpi-v4/node_modules_reactnativeratings_src_images_airbnbstar] C:\workspace\image-vision-rn\android\app\src\main\res\drawable-mdpi\node_modules_reactnativeratings_src_images_airbnbstar.png [drawable-mdpi-v4/node_modules_reactnativeratings_src_images_airbnbstar] C:\workspace\image-vision-rn\android\app\build\generated\res\react\release\drawable-mdpi\node_modules_reactnativeratings_src_images_airbnbstar.png: Error: Duplicate resources
</code></pre></div></div>
<p>위와 같은 버그가 난다면,</p>
<p><code class="language-plaintext highlighter-rouge">android/app/src/main/res/drawable-*</code> 폴더를 삭제하자</p>
<p><a href="https://github.com/facebook/react-native/issues/22234#issuecomment-468545832">참고 스택오버플로우</a></p>$ yarn install $ react-native run-androidMSA 란2019-05-20T00:00:00+00:002019-05-20T00:00:00+00:00https://ziponia.github.io/2019/05/20/react-native-sample<blockquote>
<p>SKplanet Tacademy 의 임성묵님의 발표자료를 옮겨 둔 내용입니다.
임성묵님과, 자료를 준비 해 주신, SKplanet Tacademy 에 감사드립니다.</p>
</blockquote>
<p>자료출처: https://www.youtube.com/watch?v=D6drzNZWs-Y</p>
<p>콘웨이의 법칙</p>
<p>#[모놀리틱 애플리케이션]</p>
<ul>
<li>모든조직은 조직의 의사소통 구조(communication structure)와 똑같은 구조를 갖는 시스템을 설계한다.</li>
<li>콘웨이의 법칙은 조직도에 초점을 두지않고, “실질적인 소통관계” 에 관심을 둔다. 너무 많은 통신관계를 갖는 것은 프로젝트에 대한 진정한 위험이 된다.</li>
</ul>
<p>예를들어, 주문팀이 뭔가 해결하려면 정산팀에다도 물어봐야 하고, UI 팀에도 물어봐야 한다.
너무 많은 소통이 필요함.</p>
<p>장점</p>
<ul>
<li>개발이 단순하다.</li>
<li>배포가 단순하다</li>
<li>스케일-아웃이 단순하다 ( 서버 하나만 복사하면 된다. ) (DB 성능 한계가 있다.)</li>
</ul>
<p>단점</p>
<ul>
<li>무겁다. [IDE 가 못받쳐줌]</li>
<li>어플리케이션 시작이 오래걸린다.</li>
<li>기술스택 바꾸기가 어렵다.</li>
<li>다른 서비스와의 높은 결합도</li>
<li>코드베이스의 책임 한계와 소유권이 불투명</li>
<li>레거시를 계속 하고있으면 개발자의 만족도가 굉장히 떨어짐</li>
</ul>
<p>이쯤.. 회사가 결정하게 된다.</p>
<ul>
<li>새로운 언어, 깔끔한 코드로 전면 재개편함. ( 차세대 프로젝트, 빅뱅 ) [</li>
<li>MSA 플랫폼을 구축하여, 기존 레거시를 고사(strangle) 시킴</li>
</ul>
<p>#[MSA]</p>
<ul>
<li>시스템을 여러개의 독립된 서비스로 나눠서, 서비스를 조합함으로써 기능을 제공하는 아키텍쳐 디자인 패턴</li>
</ul>
<h2 id="사례1-제프베조스-의-메일-2002년">사례1. 제프베조스 의 메일 2002년</h2>
<p>제프베조스 - 컴퓨터 공학과 출신 개발자 , 아마존 CEO</p>
<ol>
<li>모든 팀들은 데이터와 기능들을 서비스 인터페이스로 연결시켜라.</li>
<li>팀들은 이 인터페이스를 통해서만 연락해야한다.</li>
<li>다른 어떤 커뮤니케이션 방법도 허용되지 않는다. 직접 링크를 보내거나 다른팀의 스토리지에 직접 억세스 해서도 안되며, 공유 메모리나, 백도어 같은것도 안된다.
모든 커뮤니케이션은 네트워크를 통한 서비스 인터페이스로 이루어져야한다.</li>
<li>어떤 기술을 쓰든 상관없다. HTTP, Cobra, Pubsub, 독자프로토콜.. 그건상관없다. 베조스는 그런데 관심없다.</li>
<li>모든 서비스 인터페이스는 예외없이 외부에서 이용가능하게 만들어져야한다. 그말은 팀들은 외부 개발자들이 인터페이스를 이용할 수 있게 해야 한다는것이다. 예외는 없다.</li>
<li>이를 실천하지 않는 사람은 누구든 해고될 것이다.</li>
</ol>
<ul>
<li>2006년 아마존 웹 서비스 (aws) 릴리즈</li>
</ul>
<h2 id="사례2-넷플릭스의-선택">사례2 [넷플릭스의 선택]</h2>
<ul>
<li>2008년 데이터베이스에 심각한 문제가 발생해, 고객에게 DVD 를 보낼 수 없는 사태발생 (Single Points of failure)
<ul>
<li>Scale-up 확장만 가능한 인프라 스트럭쳐와 단일 장애지점(SPOF) 이라는 한계에서 벗어나길 선언</li>
<li>시작은 아파치 카산드라.</li>
</ul>
</li>
<li>2009년 AWS 로 이관시작
<ul>
<li>세가지 목표에 집중. 확장성(Scalability), 성능(Performance), 가용성(Availability)</li>
</ul>
</li>
<li>‘자체 보유 인프라와 솔루션으로는 이렇게 급증한 트래픽을 감당할수 있는 확장성을 확보 할 수 없었을것’ - 유리 이즈라일레프스키(Yuri lzrailevsky), 넷플릭스 클라우드 및 플랫폼 엔지니어링 부문 부사장</li>
<li>온프레미스 환경 -> 클라우드 환경</li>
</ul>
<p>#[그래서 MSA 란?]</p>
<ul>
<li>공식적인 정의는 없음. 단지 공감대가 있을뿐 ( 위키피디아 )</li>
<li>각 서비스간 네트워크를 통해 ( 보통 HTTP )</li>
<li>독립된 배포 단위</li>
<li>각서비스는 쉽게 교체 가능</li>
<li>각 서비스는 ‘기능중심’ 으로 구성됨 eg, 프론트엔드, 추천, 정산, 상품 등</li>
<li>각서비스에 적합한 프로그래밍 언어, 데이터베이스, 환경 으로 만들어진다.</li>
<li>서비스는 크기가 작고, 상황에 따라 ‘경계’ 를 정하고, ‘자율적으로 개발’ 되고, ‘독립적으로 배포’ 되고, ‘분산’ 되고, ‘자동화된 프로세스’ 로 구축되고 배포된다.</li>
<li>마이크로 서비스는 한 팀에 의해 개발할 수 있는 크기가 상한선이다. 절대로 3~9명의 사람들이 스스로 더 많은 개발을 할 수 없을 정도로 커지면 안된다.</li>
<li>‘마이크로 서비스는 아직까지 아이디어 수준에서 크게 벗어나 있지 않다. 다양한 산업 분야에서 폭넓게 적용되고 있지만. 그것이 좋은지 나쁜지는 시간이 더 지나봐야 알 수 있다.’ - 조쉬 롱, 케니 바스타니, 피보탈</li>
</ul>SKplanet Tacademy 의 임성묵님의 발표자료를 옮겨 둔 내용입니다. 임성묵님과, 자료를 준비 해 주신, SKplanet Tacademy 에 감사드립니다.